luminosity | 3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

General

Target

3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe
Size

365KB
MD5

257ba86a2263c16001d06f77e346ef86
SHA1

1068158a1d06ac36983fb1586680224dc16a57bc
SHA256

3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9
SHA512

a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464
SSDEEP

6144:WXV+JnRQtCJmM+mKwYpzyAtmLbR9JWJW+lU3hJ272Ja2P4337MqjrEVGPjk7ngIk:eAROuRvEUla2P4brEyjk7ngYsP

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\896709\\scvhost.exe\""	scvhost.exe

Executes dropped EXE 1 IoCs

Processes:

scvhost.exe

pid process

772 scvhost.exe

pid	process
772	scvhost.exe

Loads dropped DLL 2 IoCs

Processes:

3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe

pid	process
1164	3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe
1164	3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Audio Manger = "\"C:\\ProgramData\\896709\\scvhost.exe\""	scvhost.exe

Drops file in System32 directory 2 IoCs

Processes:

scvhost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	scvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

scvhost.exe

pid process

772 scvhost.exe
772 scvhost.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe

pid process

1164 3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

scvhost.exe

description pid process

Token: SeDebugPrivilege 772 scvhost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

scvhost.exe

pid process

772 scvhost.exe

pid	process
772	scvhost.exe
772	scvhost.exe

description	pid	process
Token: SeDebugPrivilege	772	scvhost.exe

pid	process
772	scvhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe

description	pid	process	target process
PID 1164 wrote to memory of 772	1164	3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe	scvhost.exe
PID 1164 wrote to memory of 772	1164	3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe	scvhost.exe
PID 1164 wrote to memory of 772	1164	3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe	scvhost.exe
PID 1164 wrote to memory of 772	1164	3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe	scvhost.exe

C:\Users\Admin\AppData\Local\Temp\3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe
"C:\Users\Admin\AppData\Local\Temp\3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1164
- C:\ProgramData\896709\scvhost.exe
  "C:\ProgramData\896709\scvhost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\896709\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
C:\ProgramData\896709\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
\ProgramData\896709\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
\ProgramData\896709\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
memory/772-59-0x0000000000000000-mapping.dmp

Download
memory/772-63-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/772-64-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1164-55-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-56-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-65-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads