luminosity | b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
Size

211KB
MD5

70ac356f7a35095b81db2e5ea24d32e4
SHA1

bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb
SHA256

b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041
SHA512

9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a
SSDEEP

3072:quzvHHAN35zVDpZSTh1OOMALIrCf2eiV6Lsf81g+BKF23pqgdr97ZRAQ/Odc6jmp:5s5zxG1M0ziV6zFBKF2ZN9tRJp

Score

10^/10

luminosity rat

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

pid	Process
2156	schtasks.exe
4232	schtasks.exe

Executes dropped EXE 1 IoCs

pid	Process
3760	sql_support.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	sql_support.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
3760	sql_support.exe
2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
Token: SeDebugPrivilege	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
Token: SeDebugPrivilege	3760	sql_support.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2096	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2156	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	84
PID 2300 wrote to memory of 2156	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	84
PID 2300 wrote to memory of 2156	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	84
PID 2300 wrote to memory of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86
PID 2300 wrote to memory of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86
PID 2300 wrote to memory of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86
PID 2300 wrote to memory of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86
PID 2300 wrote to memory of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86
PID 2300 wrote to memory of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86
PID 2300 wrote to memory of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86
PID 2300 wrote to memory of 2096	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	86
PID 2300 wrote to memory of 3760	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	87
PID 2300 wrote to memory of 3760	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	87
PID 2300 wrote to memory of 3760	2300	b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe	87
PID 3760 wrote to memory of 4232	3760	sql_support.exe	90
PID 3760 wrote to memory of 4232	3760	sql_support.exe	90
PID 3760 wrote to memory of 4232	3760	sql_support.exe	90

C:\Users\Admin\AppData\Local\Temp\b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe
"C:\Users\Admin\AppData\Local\Temp\b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Helper" /XML "C:\Users\Admin\AppData\Local\Temp\aeeeee.xml"
  2⤵
  - Luminosity
  PID:2156
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\sql_support.exe
  "C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 2096 C:\Users\Admin\AppData\Local\Temp\helper.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Helper" /XML "C:\Users\Admin\AppData\Local\Temp\aNNNNN.xml"
    3⤵
    - Luminosity
    - Creates scheduled task(s)
    PID:4232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aNNNNN.xml

Filesize
1KB

MD5
2b528468478337914fbb3373815850b0

SHA1
92bd572e6f6a80373b809265cf74d41e18d89b5f

SHA256
cb5ddc3928403e1bde600f00ad2187f314d5fc1e8824b8d250111e16e8bb5faf

SHA512
3c308b78681d992ebcbdf5f337d4f83ac97be8ef9730e727c4d4872d10b9115713082aa2cd22699c0df17d9809442888a85ed4d697933a93e7aec8360c5f896d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeeeee.xml

Filesize
1KB

MD5
2b528468478337914fbb3373815850b0

SHA1
92bd572e6f6a80373b809265cf74d41e18d89b5f

SHA256
cb5ddc3928403e1bde600f00ad2187f314d5fc1e8824b8d250111e16e8bb5faf

SHA512
3c308b78681d992ebcbdf5f337d4f83ac97be8ef9730e727c4d4872d10b9115713082aa2cd22699c0df17d9809442888a85ed4d697933a93e7aec8360c5f896d

Download Submit
C:\Users\Admin\AppData\Local\Temp\helper.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sql_support.exe

Filesize
211KB

MD5
70ac356f7a35095b81db2e5ea24d32e4

SHA1
bb78cd4a1e3ce5f0ae44f48eaf08821f7192affb

SHA256
b05b37fd4ded25e37c1c886cd177df80a4e60866567fce74f1c817e2f6d04041

SHA512
9f78ce67f018a3a37ee74406d8a27ffa15acc163f2ae2124ec4bac9ca78da796fd06ec3f929daa5c71d9334c4e17be93c348fb94f63c6a6919e0fbc2b876a95a

Download Submit
memory/2096-136-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2096-138-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2096-143-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2096-149-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2300-132-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2300-148-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3760-144-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3760-150-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download