luminosity | ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4

General

Target

ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
Size

276KB
MD5

34718d2fc0b6d1ba6e7808d8573c06c2
SHA1

de0b7cde81322b73dcba104360f3aa53778efd6e
SHA256

ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4
SHA512

05ffeeff9fb7f39651756ede3f8504e8e65e09b2dbbe8b41cc75628214c8b7b2384d63444a39dac3f32d73d45514b05626cffa56c48edbff804cc8f2a92a669a
SSDEEP

6144:oFnXtiLg8tIc4YDkm7vNyMMeO8bWzJj8trQbgBnUF:oFnXEkHcNTFM8bgSr8X

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	sysmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\708712\\sysmon.exe\""	sysmon.exe

Executes dropped EXE 2 IoCs

Processes:

sysmon.exesysmon.exe

pid process

1880 sysmon.exe
1824 sysmon.exe

pid	process
1880	sysmon.exe
1824	sysmon.exe

Loads dropped DLL 2 IoCs

Processes:

ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe

pid	process
1964	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
1964	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\708712\\sysmon.exe\""	sysmon.exe

Drops file in System32 directory 2 IoCs

Processes:

sysmon.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe
File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exesysmon.exe

description	pid	process	target process
PID 1496 set thread context of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1880 set thread context of 1824	1880	sysmon.exe	sysmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exesysmon.exe

pid	process
1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
1824	sysmon.exe
1824	sysmon.exe
1824	sysmon.exe
1824	sysmon.exe
1824	sysmon.exe
1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe

pid process

1964 ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exesysmon.exesysmon.exe

description	pid	process
Token: SeDebugPrivilege	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
Token: SeDebugPrivilege	1880	sysmon.exe
Token: SeDebugPrivilege	1824	sysmon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sysmon.exe

pid process

1824 sysmon.exe

pid	process
1824	sysmon.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exeed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exesysmon.exesysmon.exe

description	pid	process	target process
PID 1496 wrote to memory of 1104	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1104	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1104	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1104	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1496 wrote to memory of 1964	1496	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1964 wrote to memory of 1880	1964	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	sysmon.exe
PID 1964 wrote to memory of 1880	1964	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	sysmon.exe
PID 1964 wrote to memory of 1880	1964	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	sysmon.exe
PID 1964 wrote to memory of 1880	1964	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1880 wrote to memory of 1824	1880	sysmon.exe	sysmon.exe
PID 1824 wrote to memory of 1496	1824	sysmon.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1824 wrote to memory of 1496	1824	sysmon.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1824 wrote to memory of 1496	1824	sysmon.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1824 wrote to memory of 1496	1824	sysmon.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
PID 1824 wrote to memory of 1496	1824	sysmon.exe	ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe

C:\Users\Admin\AppData\Local\Temp\ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
"C:\Users\Admin\AppData\Local\Temp\ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
  "C:\Users\Admin\AppData\Local\Temp\ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe"
  2⤵
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe
  "C:\Users\Admin\AppData\Local\Temp\ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\ProgramData\708712\sysmon.exe
    "C:\ProgramData\708712\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\ProgramData\708712\sysmon.exe
      "C:\ProgramData\708712\sysmon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\708712\sysmon.exe

Filesize
276KB

MD5
34718d2fc0b6d1ba6e7808d8573c06c2

SHA1
de0b7cde81322b73dcba104360f3aa53778efd6e

SHA256
ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4

SHA512
05ffeeff9fb7f39651756ede3f8504e8e65e09b2dbbe8b41cc75628214c8b7b2384d63444a39dac3f32d73d45514b05626cffa56c48edbff804cc8f2a92a669a

Download Submit
C:\ProgramData\708712\sysmon.exe

Filesize
276KB

MD5
34718d2fc0b6d1ba6e7808d8573c06c2

SHA1
de0b7cde81322b73dcba104360f3aa53778efd6e

SHA256
ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4

SHA512
05ffeeff9fb7f39651756ede3f8504e8e65e09b2dbbe8b41cc75628214c8b7b2384d63444a39dac3f32d73d45514b05626cffa56c48edbff804cc8f2a92a669a

Download Submit
C:\ProgramData\708712\sysmon.exe

Filesize
276KB

MD5
34718d2fc0b6d1ba6e7808d8573c06c2

SHA1
de0b7cde81322b73dcba104360f3aa53778efd6e

SHA256
ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4

SHA512
05ffeeff9fb7f39651756ede3f8504e8e65e09b2dbbe8b41cc75628214c8b7b2384d63444a39dac3f32d73d45514b05626cffa56c48edbff804cc8f2a92a669a

Download Submit
\ProgramData\708712\sysmon.exe

Filesize
276KB

MD5
34718d2fc0b6d1ba6e7808d8573c06c2

SHA1
de0b7cde81322b73dcba104360f3aa53778efd6e

SHA256
ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4

SHA512
05ffeeff9fb7f39651756ede3f8504e8e65e09b2dbbe8b41cc75628214c8b7b2384d63444a39dac3f32d73d45514b05626cffa56c48edbff804cc8f2a92a669a

Download Submit
\ProgramData\708712\sysmon.exe

Filesize
276KB

MD5
34718d2fc0b6d1ba6e7808d8573c06c2

SHA1
de0b7cde81322b73dcba104360f3aa53778efd6e

SHA256
ed6430543467f03a94863f2f1244cee7221a556076f8514a95d279a65c8059a4

SHA512
05ffeeff9fb7f39651756ede3f8504e8e65e09b2dbbe8b41cc75628214c8b7b2384d63444a39dac3f32d73d45514b05626cffa56c48edbff804cc8f2a92a669a

Download Submit
memory/1496-99-0x0000000000480000-0x0000000000497000-memory.dmp

Filesize
92KB

Download
memory/1496-94-0x0000000000480000-0x0000000000497000-memory.dmp

Filesize
92KB

Download
memory/1496-93-0x0000000000480000-0x0000000000497000-memory.dmp

Filesize
92KB

Download
memory/1496-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1496-69-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-96-0x0000000000480000-0x0000000000497000-memory.dmp

Filesize
92KB

Download
memory/1496-102-0x0000000000480000-0x0000000000497000-memory.dmp

Filesize
92KB

Download
memory/1496-55-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-91-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-103-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-84-0x000000000045CF0E-mapping.dmp

Download
memory/1880-92-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-77-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-73-0x0000000000000000-mapping.dmp

Download
memory/1964-70-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-68-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1964-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1964-62-0x000000000045CF0E-mapping.dmp

Download
memory/1964-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1964-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1964-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1964-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1964-104-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads