luminosity | 92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665

General

Target

92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
Size

636KB
MD5

17628cbf75f6fc89f0c0722f13757908
SHA1

b4ce0d465640098c735c28435df8299ac2811f08
SHA256

92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665
SHA512

9eab2a295578ac65e16c6ed57653ab28d5dece664e20d84da97160c5fb9b35c888e357611b70faa1664d6e97800f55c64ef87c0ea50af6cf4530eac4cfac16e0
SSDEEP

6144:H96CO1VFnMjx2xicKEEyuaroAJDCbuj07IC1Q6YzP:Hev6sxffEyuAJDpzP

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	sysmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\909610\\sysmon.exe\""	sysmon.exe

Executes dropped EXE 2 IoCs

Processes:

sysmon.exesysmon.exe

pid process

4784 sysmon.exe
3768 sysmon.exe

pid	process
4784	sysmon.exe
3768	sysmon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\909610\\sysmon.exe\""	sysmon.exe

Drops file in System32 directory 2 IoCs

Processes:

sysmon.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe
File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe
File created	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exesysmon.exe

description	pid	process	target process
PID 4612 set thread context of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4784 set thread context of 3768	4784	sysmon.exe	sysmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sysmon.exesysmon.exe92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe

pid	process
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
4784	sysmon.exe
4784	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
4060	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
4060	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe
3768	sysmon.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe

pid process

4060 92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe

pid	process
4060	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exesysmon.exesysmon.exe

description	pid	process
Token: SeDebugPrivilege	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
Token: SeDebugPrivilege	4784	sysmon.exe
Token: SeDebugPrivilege	3768	sysmon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sysmon.exe

pid process

3768 sysmon.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exesysmon.exesysmon.exe

description	pid	process	target process
PID 4612 wrote to memory of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4612 wrote to memory of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4612 wrote to memory of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4612 wrote to memory of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4612 wrote to memory of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4612 wrote to memory of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4612 wrote to memory of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4612 wrote to memory of 4060	4612	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 4060 wrote to memory of 4784	4060	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	sysmon.exe
PID 4060 wrote to memory of 4784	4060	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	sysmon.exe
PID 4060 wrote to memory of 4784	4060	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe	sysmon.exe
PID 4784 wrote to memory of 3768	4784	sysmon.exe	sysmon.exe
PID 4784 wrote to memory of 3768	4784	sysmon.exe	sysmon.exe
PID 4784 wrote to memory of 3768	4784	sysmon.exe	sysmon.exe
PID 4784 wrote to memory of 3768	4784	sysmon.exe	sysmon.exe
PID 4784 wrote to memory of 3768	4784	sysmon.exe	sysmon.exe
PID 4784 wrote to memory of 3768	4784	sysmon.exe	sysmon.exe
PID 4784 wrote to memory of 3768	4784	sysmon.exe	sysmon.exe
PID 4784 wrote to memory of 3768	4784	sysmon.exe	sysmon.exe
PID 3768 wrote to memory of 4784	3768	sysmon.exe	sysmon.exe
PID 3768 wrote to memory of 4784	3768	sysmon.exe	sysmon.exe
PID 3768 wrote to memory of 4784	3768	sysmon.exe	sysmon.exe
PID 3768 wrote to memory of 4784	3768	sysmon.exe	sysmon.exe
PID 3768 wrote to memory of 4784	3768	sysmon.exe	sysmon.exe
PID 3768 wrote to memory of 4612	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4612	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4612	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4612	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4612	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4060	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4060	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4060	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4060	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
PID 3768 wrote to memory of 4060	3768	sysmon.exe	92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe

C:\Users\Admin\AppData\Local\Temp\92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
"C:\Users\Admin\AppData\Local\Temp\92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe
  "C:\Users\Admin\AppData\Local\Temp\92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\ProgramData\909610\sysmon.exe
    "C:\ProgramData\909610\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\ProgramData\909610\sysmon.exe
      "C:\ProgramData\909610\sysmon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\909610\sysmon.exe

Filesize
636KB

MD5
17628cbf75f6fc89f0c0722f13757908

SHA1
b4ce0d465640098c735c28435df8299ac2811f08

SHA256
92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665

SHA512
9eab2a295578ac65e16c6ed57653ab28d5dece664e20d84da97160c5fb9b35c888e357611b70faa1664d6e97800f55c64ef87c0ea50af6cf4530eac4cfac16e0

Download Submit
C:\ProgramData\909610\sysmon.exe

Filesize
636KB

MD5
17628cbf75f6fc89f0c0722f13757908

SHA1
b4ce0d465640098c735c28435df8299ac2811f08

SHA256
92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665

SHA512
9eab2a295578ac65e16c6ed57653ab28d5dece664e20d84da97160c5fb9b35c888e357611b70faa1664d6e97800f55c64ef87c0ea50af6cf4530eac4cfac16e0

Download Submit
C:\ProgramData\909610\sysmon.exe

Filesize
636KB

MD5
17628cbf75f6fc89f0c0722f13757908

SHA1
b4ce0d465640098c735c28435df8299ac2811f08

SHA256
92156ae0272dcfcca8321221edcca6661d73bba80e9fa2fcb91af82dd6901665

SHA512
9eab2a295578ac65e16c6ed57653ab28d5dece664e20d84da97160c5fb9b35c888e357611b70faa1664d6e97800f55c64ef87c0ea50af6cf4530eac4cfac16e0

Download Submit
memory/3768-153-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3768-146-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3768-143-0x0000000000000000-mapping.dmp

Download
memory/4060-156-0x00000000073F0000-0x0000000007407000-memory.dmp

Filesize
92KB

Download
memory/4060-137-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4060-136-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4060-155-0x00000000073F0000-0x0000000007407000-memory.dmp

Filesize
92KB

Download
memory/4060-154-0x00000000073F0000-0x0000000007407000-memory.dmp

Filesize
92KB

Download
memory/4060-135-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4060-134-0x0000000000000000-mapping.dmp

Download
memory/4060-157-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4612-151-0x0000000001710000-0x0000000001727000-memory.dmp

Filesize
92KB

Download
memory/4612-150-0x0000000001710000-0x0000000001727000-memory.dmp

Filesize
92KB

Download
memory/4612-132-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4612-152-0x0000000001710000-0x0000000001727000-memory.dmp

Filesize
92KB

Download
memory/4612-133-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-148-0x0000000005120000-0x0000000005137000-memory.dmp

Filesize
92KB

Download
memory/4784-149-0x0000000005120000-0x0000000005137000-memory.dmp

Filesize
92KB

Download
memory/4784-147-0x0000000005120000-0x0000000005137000-memory.dmp

Filesize
92KB

Download
memory/4784-142-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-141-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads