luminosity | 388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677

Analysis

max time kernel
150s
max time network
99s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe
Size

274KB
MD5

5b1b1c32c1f2a01b8eba0005d8f28c78
SHA1

2d1e522e37c1c951e73081834126bf432ca2f74c
SHA256

388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677
SHA512

57e9b4db7d0bb3ce0e16296f03d84a4aa22b3ef60d435c0930398c8e21e916d746a3971a698fdeed0b09c94767f33a968069f5c7432cbc300affbba03a6b203e
SSDEEP

6144:jr7fCNFvumQBgonmJaLo/+/+YXuYlswS9MvODqFXTzSNYVhW:jvfIIBgkS/+mE2vpqQNy

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\819753\\lsass.exe\""	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
572	lsass.exe
1292	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
1672	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe
1672	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Local Security Authority Process = "\"C:\\ProgramData\\819753\\lsass.exe\""	lsass.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	lsass.exe
File created	C:\Windows\SysWOW64\clientsvr.exe	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 572 set thread context of 1292	572	lsass.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1292	lsass.exe
1292	lsass.exe
1292	lsass.exe
1292	lsass.exe
1292	lsass.exe
1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1672	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe
Token: SeDebugPrivilege	572	lsass.exe
Token: SeDebugPrivilege	1292	lsass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1292	lsass.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1488 wrote to memory of 1672	1488	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	26
PID 1672 wrote to memory of 572	1672	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	28
PID 1672 wrote to memory of 572	1672	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	28
PID 1672 wrote to memory of 572	1672	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	28
PID 1672 wrote to memory of 572	1672	388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe	28
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 572 wrote to memory of 1292	572	lsass.exe	29
PID 1292 wrote to memory of 1488	1292	lsass.exe	25
PID 1292 wrote to memory of 1488	1292	lsass.exe	25
PID 1292 wrote to memory of 1488	1292	lsass.exe	25
PID 1292 wrote to memory of 1488	1292	lsass.exe	25
PID 1292 wrote to memory of 1488	1292	lsass.exe	25

C:\Users\Admin\AppData\Local\Temp\388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe
"C:\Users\Admin\AppData\Local\Temp\388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe
  "C:\Users\Admin\AppData\Local\Temp\388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\ProgramData\819753\lsass.exe
    "C:\ProgramData\819753\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\ProgramData\819753\lsass.exe
      "C:\ProgramData\819753\lsass.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\819753\lsass.exe

Filesize
274KB

MD5
5b1b1c32c1f2a01b8eba0005d8f28c78

SHA1
2d1e522e37c1c951e73081834126bf432ca2f74c

SHA256
388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677

SHA512
57e9b4db7d0bb3ce0e16296f03d84a4aa22b3ef60d435c0930398c8e21e916d746a3971a698fdeed0b09c94767f33a968069f5c7432cbc300affbba03a6b203e

Download Submit
C:\ProgramData\819753\lsass.exe

Filesize
274KB

MD5
5b1b1c32c1f2a01b8eba0005d8f28c78

SHA1
2d1e522e37c1c951e73081834126bf432ca2f74c

SHA256
388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677

SHA512
57e9b4db7d0bb3ce0e16296f03d84a4aa22b3ef60d435c0930398c8e21e916d746a3971a698fdeed0b09c94767f33a968069f5c7432cbc300affbba03a6b203e

Download Submit
C:\ProgramData\819753\lsass.exe

Filesize
274KB

MD5
5b1b1c32c1f2a01b8eba0005d8f28c78

SHA1
2d1e522e37c1c951e73081834126bf432ca2f74c

SHA256
388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677

SHA512
57e9b4db7d0bb3ce0e16296f03d84a4aa22b3ef60d435c0930398c8e21e916d746a3971a698fdeed0b09c94767f33a968069f5c7432cbc300affbba03a6b203e

Download Submit
\ProgramData\819753\lsass.exe

Filesize
274KB

MD5
5b1b1c32c1f2a01b8eba0005d8f28c78

SHA1
2d1e522e37c1c951e73081834126bf432ca2f74c

SHA256
388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677

SHA512
57e9b4db7d0bb3ce0e16296f03d84a4aa22b3ef60d435c0930398c8e21e916d746a3971a698fdeed0b09c94767f33a968069f5c7432cbc300affbba03a6b203e

Download Submit
\ProgramData\819753\lsass.exe

Filesize
274KB

MD5
5b1b1c32c1f2a01b8eba0005d8f28c78

SHA1
2d1e522e37c1c951e73081834126bf432ca2f74c

SHA256
388ff1a07a3e57fb51f2a7e4668e93087e256d7d456c485bf0483a30566f8677

SHA512
57e9b4db7d0bb3ce0e16296f03d84a4aa22b3ef60d435c0930398c8e21e916d746a3971a698fdeed0b09c94767f33a968069f5c7432cbc300affbba03a6b203e

Download Submit
memory/572-92-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/572-77-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-94-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-91-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-56-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-76-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-67-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-93-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-69-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download