luminosity | 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731

General

Target

13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
Size

320KB
MD5

6c4bdfefea58c80aa75fbd60517771ee
SHA1

fc2b61c9d7d2e2a20aaf0efd7a7f6419608d0181
SHA256

13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731
SHA512

4bd68f43060082efb3858794eafb183acd6143184ee54f8c35055c7d7b6fafbbd5a42c7be532a10a317f9b67b0a32d8ccde08dabecdbdad7462012374d0db3e0
SSDEEP

6144:EKkdLgjO+EQT1XZqJWi+2NsQuM/L6R1RbKfmhH3TX82ZmhXIWgNkHbSO147qPsP:EKkVgjT5Zv2seuxK+hXT/Zm2CWO14mP+

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	sysmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\995290\\sysmon.exe\""	sysmon.exe

Executes dropped EXE 2 IoCs

Processes:

sysmon.exesysmon.exe

pid process

4772 sysmon.exe
2648 sysmon.exe

pid	process
4772	sysmon.exe
2648	sysmon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\995290\\sysmon.exe\""	sysmon.exe

Drops file in System32 directory 2 IoCs

Processes:

sysmon.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe
File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe
File created	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exesysmon.exe

description	pid	process	target process
PID 4800 set thread context of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4772 set thread context of 2648	4772	sysmon.exe	sysmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sysmon.exe13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exesysmon.exe13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe

pid	process
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
4972	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
4972	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
4772	sysmon.exe
4772	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe
2648	sysmon.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe

pid process

4972 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe

pid	process
4972	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exesysmon.exesysmon.exe

description	pid	process
Token: SeDebugPrivilege	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
Token: SeDebugPrivilege	4772	sysmon.exe
Token: SeDebugPrivilege	2648	sysmon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sysmon.exe

pid process

2648 sysmon.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exesysmon.exesysmon.exe

description	pid	process	target process
PID 4800 wrote to memory of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4800 wrote to memory of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4800 wrote to memory of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4800 wrote to memory of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4800 wrote to memory of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4800 wrote to memory of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4800 wrote to memory of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4800 wrote to memory of 4972	4800	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 4972 wrote to memory of 4772	4972	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	sysmon.exe
PID 4972 wrote to memory of 4772	4972	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	sysmon.exe
PID 4972 wrote to memory of 4772	4972	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe	sysmon.exe
PID 4772 wrote to memory of 2648	4772	sysmon.exe	sysmon.exe
PID 4772 wrote to memory of 2648	4772	sysmon.exe	sysmon.exe
PID 4772 wrote to memory of 2648	4772	sysmon.exe	sysmon.exe
PID 4772 wrote to memory of 2648	4772	sysmon.exe	sysmon.exe
PID 4772 wrote to memory of 2648	4772	sysmon.exe	sysmon.exe
PID 4772 wrote to memory of 2648	4772	sysmon.exe	sysmon.exe
PID 4772 wrote to memory of 2648	4772	sysmon.exe	sysmon.exe
PID 4772 wrote to memory of 2648	4772	sysmon.exe	sysmon.exe
PID 2648 wrote to memory of 4972	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4972	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4972	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4972	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4972	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4772	2648	sysmon.exe	sysmon.exe
PID 2648 wrote to memory of 4772	2648	sysmon.exe	sysmon.exe
PID 2648 wrote to memory of 4772	2648	sysmon.exe	sysmon.exe
PID 2648 wrote to memory of 4772	2648	sysmon.exe	sysmon.exe
PID 2648 wrote to memory of 4772	2648	sysmon.exe	sysmon.exe
PID 2648 wrote to memory of 4800	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4800	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4800	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4800	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
PID 2648 wrote to memory of 4800	2648	sysmon.exe	13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe

C:\Users\Admin\AppData\Local\Temp\13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
"C:\Users\Admin\AppData\Local\Temp\13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
  "C:\Users\Admin\AppData\Local\Temp\13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\ProgramData\995290\sysmon.exe
    "C:\ProgramData\995290\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\ProgramData\995290\sysmon.exe
      "C:\ProgramData\995290\sysmon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\995290\sysmon.exe

Filesize
320KB

MD5
6c4bdfefea58c80aa75fbd60517771ee

SHA1
fc2b61c9d7d2e2a20aaf0efd7a7f6419608d0181

SHA256
13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731

SHA512
4bd68f43060082efb3858794eafb183acd6143184ee54f8c35055c7d7b6fafbbd5a42c7be532a10a317f9b67b0a32d8ccde08dabecdbdad7462012374d0db3e0

Download Submit
C:\ProgramData\995290\sysmon.exe

Filesize
320KB

MD5
6c4bdfefea58c80aa75fbd60517771ee

SHA1
fc2b61c9d7d2e2a20aaf0efd7a7f6419608d0181

SHA256
13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731

SHA512
4bd68f43060082efb3858794eafb183acd6143184ee54f8c35055c7d7b6fafbbd5a42c7be532a10a317f9b67b0a32d8ccde08dabecdbdad7462012374d0db3e0

Download Submit
C:\ProgramData\995290\sysmon.exe

Filesize
320KB

MD5
6c4bdfefea58c80aa75fbd60517771ee

SHA1
fc2b61c9d7d2e2a20aaf0efd7a7f6419608d0181

SHA256
13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731

SHA512
4bd68f43060082efb3858794eafb183acd6143184ee54f8c35055c7d7b6fafbbd5a42c7be532a10a317f9b67b0a32d8ccde08dabecdbdad7462012374d0db3e0

Download Submit
memory/2648-152-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2648-146-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2648-143-0x0000000000000000-mapping.dmp

Download
memory/4772-140-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4772-137-0x0000000000000000-mapping.dmp

Download
memory/4772-142-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4800-132-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4800-133-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4972-141-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4972-136-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4972-135-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4972-134-0x0000000000000000-mapping.dmp

Download
memory/4972-147-0x0000000006F50000-0x0000000006F67000-memory.dmp

Filesize
92KB

Download
memory/4972-148-0x0000000006F50000-0x0000000006F67000-memory.dmp

Filesize
92KB

Download
memory/4972-149-0x0000000006F50000-0x0000000006F67000-memory.dmp

Filesize
92KB

Download
memory/4972-153-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads