luminosity | 42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90

General

Target

42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
Size

594KB
MD5

ee5efbffb2b92cd6414f070bdbe9525e
SHA1

8c5ede4793a16898d44b47314a68bd5b70e2177c
SHA256

42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90
SHA512

78eeeebd2bd362d65e908595b1c91415e74fbd0087e566f760f038d79c50050d95961fd0da6f5b75aa92468ac64af29b6f53127fe9d10863cfc3556bf0ddce8c
SSDEEP

12288:85OiajewcaC3K/al98M2BN3mA/+QnQmuF4PsWhQzRwlpWfuMq7YsyHScppW4Lk2z:85Oiajewc53K/al98M2BN3V/+QnQmuFj

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

helper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	helper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\604700\\helper.exe\""	helper.exe

Executes dropped EXE 2 IoCs

Processes:

helper.exehelper.exe

pid process

1632 helper.exe
1808 helper.exe

pid	process
1632	helper.exe
1808	helper.exe

Loads dropped DLL 2 IoCs

Processes:

42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe

pid	process
768	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
768	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

helper.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Computer Helper = "\"C:\\ProgramData\\604700\\helper.exe\""	helper.exe

Drops file in System32 directory 2 IoCs

Processes:

helper.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe helper.exe
File opened for modification C:\Windows\SysWOW64\clientsvr.exe helper.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	helper.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	helper.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exehelper.exe

description	pid	process	target process
PID 1956 set thread context of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1632 set thread context of 1808	1632	helper.exe	helper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

helper.exe

pid process

1808 helper.exe
1808 helper.exe
1808 helper.exe
1808 helper.exe
1808 helper.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe

pid process

768 42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

helper.exe

description pid process

Token: SeDebugPrivilege 1808 helper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

helper.exe

pid process

1808 helper.exe

pid	process
1808	helper.exe
1808	helper.exe
1808	helper.exe
1808	helper.exe
1808	helper.exe

description	pid	process
Token: SeDebugPrivilege	1808	helper.exe

pid	process
1808	helper.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exehelper.exe

description	pid	process	target process
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 1956 wrote to memory of 768	1956	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
PID 768 wrote to memory of 1632	768	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	helper.exe
PID 768 wrote to memory of 1632	768	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	helper.exe
PID 768 wrote to memory of 1632	768	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	helper.exe
PID 768 wrote to memory of 1632	768	42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe
PID 1632 wrote to memory of 1808	1632	helper.exe	helper.exe

C:\Users\Admin\AppData\Local\Temp\42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
"C:\Users\Admin\AppData\Local\Temp\42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe
  "C:\Users\Admin\AppData\Local\Temp\42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\ProgramData\604700\helper.exe
    "C:\ProgramData\604700\helper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\ProgramData\604700\helper.exe
      "C:\ProgramData\604700\helper.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\604700\helper.exe

Filesize
594KB

MD5
ee5efbffb2b92cd6414f070bdbe9525e

SHA1
8c5ede4793a16898d44b47314a68bd5b70e2177c

SHA256
42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90

SHA512
78eeeebd2bd362d65e908595b1c91415e74fbd0087e566f760f038d79c50050d95961fd0da6f5b75aa92468ac64af29b6f53127fe9d10863cfc3556bf0ddce8c

Download Submit
C:\ProgramData\604700\helper.exe

Filesize
594KB

MD5
ee5efbffb2b92cd6414f070bdbe9525e

SHA1
8c5ede4793a16898d44b47314a68bd5b70e2177c

SHA256
42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90

SHA512
78eeeebd2bd362d65e908595b1c91415e74fbd0087e566f760f038d79c50050d95961fd0da6f5b75aa92468ac64af29b6f53127fe9d10863cfc3556bf0ddce8c

Download Submit
C:\ProgramData\604700\helper.exe

Filesize
594KB

MD5
ee5efbffb2b92cd6414f070bdbe9525e

SHA1
8c5ede4793a16898d44b47314a68bd5b70e2177c

SHA256
42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90

SHA512
78eeeebd2bd362d65e908595b1c91415e74fbd0087e566f760f038d79c50050d95961fd0da6f5b75aa92468ac64af29b6f53127fe9d10863cfc3556bf0ddce8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a542d3337766d1c5f3864add1e8af7a2

SHA1
a716bdf979d54965c282355d1b156b980ec8d3c6

SHA256
c9a59bf50facf7cac14bbc770d3fb91a2a4b558b56b579d1df954054cda91f02

SHA512
eaa97710e0e1160fc7af69b6fe6c71fd15278339726e4cbc2ba432722fa5b37d9feec8a4023e8a18ecdf8351c64f5f8659ec17ecd39d7e627fbaa004a1c41208

Download Submit
\ProgramData\604700\helper.exe

Filesize
594KB

MD5
ee5efbffb2b92cd6414f070bdbe9525e

SHA1
8c5ede4793a16898d44b47314a68bd5b70e2177c

SHA256
42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90

SHA512
78eeeebd2bd362d65e908595b1c91415e74fbd0087e566f760f038d79c50050d95961fd0da6f5b75aa92468ac64af29b6f53127fe9d10863cfc3556bf0ddce8c

Download Submit
\ProgramData\604700\helper.exe

Filesize
594KB

MD5
ee5efbffb2b92cd6414f070bdbe9525e

SHA1
8c5ede4793a16898d44b47314a68bd5b70e2177c

SHA256
42c07f1fb6d60e2b206b7085e61b337f1c41bb41608801419fd91ce8b4fb8d90

SHA512
78eeeebd2bd362d65e908595b1c91415e74fbd0087e566f760f038d79c50050d95961fd0da6f5b75aa92468ac64af29b6f53127fe9d10863cfc3556bf0ddce8c

Download Submit
memory/768-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/768-99-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/768-67-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/768-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/768-72-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/768-65-0x000000000045CF0E-mapping.dmp

Download
memory/768-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/768-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/768-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/768-101-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-75-0x0000000000000000-mapping.dmp

Download
memory/1632-80-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-93-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-90-0x000000000045CF0E-mapping.dmp

Download
memory/1808-98-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-100-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1956-68-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-55-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads