luminosity | 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80 | Triage

Analysis

max time kernel
154s
max time network
192s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 09:35 UTC

Sharing

Report Analysis Logs

General

Target

77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe
Size

1.7MB
MD5

f6775963efac80285f8bd9ccf238e8e6
SHA1

c62b3116cd6be338f3a5c31c475440405971a213
SHA256

77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80
SHA512

2df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f
SSDEEP

49152:XdPemCeUjRvBvaBEDYlHQE4eZY9oB21V4z:N2tekRclwDAYakaz

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe\""	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

Executes dropped EXE 1 IoCs

pid	Process
1484	mysqldt.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe
1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MySQL = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe\""	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientsvr.exe	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 268	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe	28
PID 1868 wrote to memory of 268	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe	28
PID 1868 wrote to memory of 268	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe	28
PID 1868 wrote to memory of 268	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe	28
PID 1868 wrote to memory of 1484	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe	31
PID 1868 wrote to memory of 1484	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe	31
PID 1868 wrote to memory of 1484	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe	31
PID 1868 wrote to memory of 1484	1868	77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe	31

C:\Users\Admin\AppData\Local\Temp\77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe
"C:\Users\Admin\AppData\Local\Temp\77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\mysqldt" /XML "C:\Users\Admin\AppData\Local\Temp\1471840762.xml"
  2⤵
  - Creates scheduled task(s)
  PID:268
- C:\ProgramData\683383\mysqldt.exe
  "C:\ProgramData\683383\mysqldt.exe"
  2⤵
  - Executes dropped EXE
  PID:1484

Network

DNS

filezilla41.myftp.biz

77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

Remote address:

8.8.8.8:53

Request

filezilla41.myftp.biz

IN A

Response

filezilla41.myftp.biz

IN A

90.41.230.106

90.41.230.106:2357

filezilla41.myftp.biz

77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

152 B
3
90.41.230.106:2357

filezilla41.myftp.biz

77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

152 B
3

8.8.8.8:53

filezilla41.myftp.biz

dns

77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe

67 B
83 B
1
1

DNS Request

filezilla41.myftp.biz

DNS Response

90.41.230.106

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\683383\mysqldt.exe

Filesize
1.7MB

MD5
f6775963efac80285f8bd9ccf238e8e6

SHA1
c62b3116cd6be338f3a5c31c475440405971a213

SHA256
77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80

SHA512
2df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f

Download Submit
C:\ProgramData\683383\mysqldt.exe

Filesize
1.7MB

MD5
f6775963efac80285f8bd9ccf238e8e6

SHA1
c62b3116cd6be338f3a5c31c475440405971a213

SHA256
77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80

SHA512
2df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1471840762.xml

Filesize
1KB

MD5
069f1fcadee88a26d1e7a78f23c62e2a

SHA1
6b4e4f5a38e36187eb6da8a7464f770f583f72bb

SHA256
e35b77808582c3a354e60fe8cc99990a8a6ee34a246669c2a90da81f8a20c0a5

SHA512
6dc3475904dbabcf91f323a37eb4118f8d3ad86c28a719416df0868a24d137a0546c037752d579133a4740dd96e4bb3103c446b2d7613ba6734f7b2ce8cceb0a

Download Submit
\ProgramData\683383\mysqldt.exe

Filesize
1.7MB

MD5
f6775963efac80285f8bd9ccf238e8e6

SHA1
c62b3116cd6be338f3a5c31c475440405971a213

SHA256
77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80

SHA512
2df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f

Download Submit
\ProgramData\683383\mysqldt.exe

Filesize
1.7MB

MD5
f6775963efac80285f8bd9ccf238e8e6

SHA1
c62b3116cd6be338f3a5c31c475440405971a213

SHA256
77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80

SHA512
2df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f

Download Submit
memory/1484-65-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/1868-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1868-55-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/1868-56-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download