luminosity | b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

Analysis

max time kernel
16s
max time network
21s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
Size

211KB
MD5

70ac356f7a35095b81db2e5ea24d32e4
SHA1

bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb
SHA256

b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041
SHA512

9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a
SSDEEP

3072:quzvHHAN35zVDpZSTh1OOMALIrCf2eiV6Lsf81g+BKF23pqgdr97ZRAQ/Odc6jmp:5s5zxG1M0ziV6zFBKF2ZN9tRJp

Score

10^/10

luminosity rat

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

pid	Process
1680	schtasks.exe
1992	schtasks.exe

Executes dropped EXE 3 IoCs

pid	Process
668	sql_support.exe
840	helper.exe
1576	sql_support.exe

Loads dropped DLL 6 IoCs

pid	Process
1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
840	helper.exe
840	helper.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 840 set thread context of 1952	840	helper.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
840	helper.exe
840	helper.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
Token: SeDebugPrivilege	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
Token: SeDebugPrivilege	840	helper.exe
Token: SeDebugPrivilege	840	helper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1376	RegAsm.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1680	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	26
PID 1464 wrote to memory of 1680	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	26
PID 1464 wrote to memory of 1680	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	26
PID 1464 wrote to memory of 1680	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	26
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 1376	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	28
PID 1464 wrote to memory of 668	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	29
PID 1464 wrote to memory of 668	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	29
PID 1464 wrote to memory of 668	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	29
PID 1464 wrote to memory of 668	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	29
PID 1464 wrote to memory of 840	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	31
PID 1464 wrote to memory of 840	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	31
PID 1464 wrote to memory of 840	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	31
PID 1464 wrote to memory of 840	1464	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	31
PID 840 wrote to memory of 1992	840	helper.exe	32
PID 840 wrote to memory of 1992	840	helper.exe	32
PID 840 wrote to memory of 1992	840	helper.exe	32
PID 840 wrote to memory of 1992	840	helper.exe	32
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1952	840	helper.exe	34
PID 840 wrote to memory of 1576	840	helper.exe	35
PID 840 wrote to memory of 1576	840	helper.exe	35
PID 840 wrote to memory of 1576	840	helper.exe	35
PID 840 wrote to memory of 1576	840	helper.exe	35

C:\Users\Admin\AppData\Local\Temp\b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
"C:\Users\Admin\AppData\Local\Temp\b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Helper" /XML "C:\Users\Admin\AppData\Local\Temp\aLLLLL.xml"
  2⤵
  - Luminosity
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Users\Admin\AppData\Local\Temp\sql_support.exe
  "C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 1376 C:\Users\Admin\AppData\Local\Temp\helper.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Users\Admin\AppData\Local\Temp\helper.exe
  "C:\Users\Admin\AppData\Local\Temp\helper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Helper" /XML "C:\Users\Admin\AppData\Local\Temp\aKKKKK.xml"
    3⤵
    - Luminosity
    - Creates scheduled task(s)
    PID:1992
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\sql_support.exe
    "C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 1952 C:\Users\Admin\AppData\Local\Temp\helper.exe
    3⤵
    - Executes dropped EXE
    PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3d7994e46846da549affe6ff4cc1dc0

SHA1
41e0b77261ecda2767eb7038afb5e66d4ef32e61

SHA256
476433c88fd0e23a9c70865d2ffd39d755bd18b4ff515fee4b8825726aa21e4b

SHA512
3da2cf7902baad0658cfbc2fecee89516e32ad8b11fd4c28c1f2a6931d0b5bd06827492f00e353c4e7b8e5c1bed10eaac695263c745d31035fc7355bedf09d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKKKKK.xml

Filesize
1KB

MD5
2b136f1ad2f3315279e517a632f542a4

SHA1
3ce73e6ef81a45df8c77b5aaf56a72f713144749

SHA256
696fb686cdbb4fe87189163de7f3422cebe6f76674975e6dd3504583d564b8e4

SHA512
92f5af41731e78bc5e0c01d8884f02665cbafafa93193240f7e6a32102d9a0d0ce749c2f970d96a4327479d8104221a0852a419c80d7b35653ad5e7ea02ee756

Download Submit
C:\Users\Admin\AppData\Local\Temp\aLLLLL.xml

Filesize
1KB

MD5
2b136f1ad2f3315279e517a632f542a4

SHA1
3ce73e6ef81a45df8c77b5aaf56a72f713144749

SHA256
696fb686cdbb4fe87189163de7f3422cebe6f76674975e6dd3504583d564b8e4

SHA512
92f5af41731e78bc5e0c01d8884f02665cbafafa93193240f7e6a32102d9a0d0ce749c2f970d96a4327479d8104221a0852a419c80d7b35653ad5e7ea02ee756

Download Submit
C:\Users\Admin\AppData\Local\Temp\helper.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\helper.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
\Users\Admin\AppData\Local\Temp\helper.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
\Users\Admin\AppData\Local\Temp\helper.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
memory/668-82-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/668-80-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/840-90-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1376-69-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1376-81-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1376-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1376-71-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1376-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1376-58-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1376-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1464-55-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-89-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download