luminosity | 1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb

General

Target

1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe
Size

376KB
MD5

76acc4ecd7364620dad58e2b2e62caa9
SHA1

e5f84306eb1a7c9d780ac1752a95745c70682442
SHA256

1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb
SHA512

547066e5bfe500ab44c239f5d60cb9f24e3f49638c05a37c33585ca3f8cbbe3d74cd040dc2dc697a98af6b20b1880b01f6af568a70e8fd1a2682265c33327179
SSDEEP

6144:IT1lNGV5ofc3he+0oNtOk52Z0IOM7q58BXmVJpSTW:IT1lNGDJ30AnZFM7q+XwoTW

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	sysmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\866865\\sysmon.exe\""	sysmon.exe

Executes dropped EXE 4 IoCs

pid	Process
3996	sysmon.exe
4284	sysmon.exe
3272	sysmon.exe
4944	sysmon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System main = "\"C:\\ProgramData\\866865\\sysmon.exe\""	sysmon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 3996 set thread context of 4944	3996	sysmon.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3996	sysmon.exe
3996	sysmon.exe
3996	sysmon.exe
3996	sysmon.exe
4944	sysmon.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
768	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe
Token: SeDebugPrivilege	3996	sysmon.exe
Token: SeDebugPrivilege	4944	sysmon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4944	sysmon.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 2228 wrote to memory of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 2228 wrote to memory of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 2228 wrote to memory of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 2228 wrote to memory of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 2228 wrote to memory of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 2228 wrote to memory of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 2228 wrote to memory of 768	2228	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	83
PID 768 wrote to memory of 3996	768	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	85
PID 768 wrote to memory of 3996	768	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	85
PID 768 wrote to memory of 3996	768	1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe	85
PID 3996 wrote to memory of 4284	3996	sysmon.exe	95
PID 3996 wrote to memory of 4284	3996	sysmon.exe	95
PID 3996 wrote to memory of 4284	3996	sysmon.exe	95
PID 3996 wrote to memory of 3272	3996	sysmon.exe	96
PID 3996 wrote to memory of 3272	3996	sysmon.exe	96
PID 3996 wrote to memory of 3272	3996	sysmon.exe	96
PID 3996 wrote to memory of 4944	3996	sysmon.exe	97
PID 3996 wrote to memory of 4944	3996	sysmon.exe	97
PID 3996 wrote to memory of 4944	3996	sysmon.exe	97
PID 3996 wrote to memory of 4944	3996	sysmon.exe	97
PID 3996 wrote to memory of 4944	3996	sysmon.exe	97
PID 3996 wrote to memory of 4944	3996	sysmon.exe	97
PID 3996 wrote to memory of 4944	3996	sysmon.exe	97
PID 3996 wrote to memory of 4944	3996	sysmon.exe	97

C:\Users\Admin\AppData\Local\Temp\1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe
"C:\Users\Admin\AppData\Local\Temp\1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe
  "C:\Users\Admin\AppData\Local\Temp\1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\ProgramData\866865\sysmon.exe
    "C:\ProgramData\866865\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\ProgramData\866865\sysmon.exe
      "C:\ProgramData\866865\sysmon.exe"
      4⤵
      Executes dropped EXE
      PID:4284
  - - C:\ProgramData\866865\sysmon.exe
      "C:\ProgramData\866865\sysmon.exe"
      4⤵
      Executes dropped EXE
      PID:3272
  - - C:\ProgramData\866865\sysmon.exe
      "C:\ProgramData\866865\sysmon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\866865\sysmon.exe

Filesize
376KB

MD5
76acc4ecd7364620dad58e2b2e62caa9

SHA1
e5f84306eb1a7c9d780ac1752a95745c70682442

SHA256
1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb

SHA512
547066e5bfe500ab44c239f5d60cb9f24e3f49638c05a37c33585ca3f8cbbe3d74cd040dc2dc697a98af6b20b1880b01f6af568a70e8fd1a2682265c33327179

Download Submit
C:\ProgramData\866865\sysmon.exe

Filesize
376KB

MD5
76acc4ecd7364620dad58e2b2e62caa9

SHA1
e5f84306eb1a7c9d780ac1752a95745c70682442

SHA256
1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb

SHA512
547066e5bfe500ab44c239f5d60cb9f24e3f49638c05a37c33585ca3f8cbbe3d74cd040dc2dc697a98af6b20b1880b01f6af568a70e8fd1a2682265c33327179

Download Submit
C:\ProgramData\866865\sysmon.exe

Filesize
376KB

MD5
76acc4ecd7364620dad58e2b2e62caa9

SHA1
e5f84306eb1a7c9d780ac1752a95745c70682442

SHA256
1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb

SHA512
547066e5bfe500ab44c239f5d60cb9f24e3f49638c05a37c33585ca3f8cbbe3d74cd040dc2dc697a98af6b20b1880b01f6af568a70e8fd1a2682265c33327179

Download Submit
C:\ProgramData\866865\sysmon.exe

Filesize
376KB

MD5
76acc4ecd7364620dad58e2b2e62caa9

SHA1
e5f84306eb1a7c9d780ac1752a95745c70682442

SHA256
1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb

SHA512
547066e5bfe500ab44c239f5d60cb9f24e3f49638c05a37c33585ca3f8cbbe3d74cd040dc2dc697a98af6b20b1880b01f6af568a70e8fd1a2682265c33327179

Download Submit
C:\ProgramData\866865\sysmon.exe

Filesize
376KB

MD5
76acc4ecd7364620dad58e2b2e62caa9

SHA1
e5f84306eb1a7c9d780ac1752a95745c70682442

SHA256
1ec721c2255fef99fd89db61e8d4de5e3e125e298a62a128f5017bf4ba0ca2fb

SHA512
547066e5bfe500ab44c239f5d60cb9f24e3f49638c05a37c33585ca3f8cbbe3d74cd040dc2dc697a98af6b20b1880b01f6af568a70e8fd1a2682265c33327179

Download Submit
memory/768-136-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/768-137-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/768-135-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2228-133-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/2228-132-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3996-141-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3996-142-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4944-150-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4944-151-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads