luminosity | 9a20c73aa2e63089ca6fbd0ea29f16634e25a7d02763413dd9cbfbf558068ce9

General

Target

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
Size

825KB
MD5

30316fe7b005a9290642487257f5d272
SHA1

9853434d6fd84e02caf658b3df7ec9c67f706df4
SHA256

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d
SHA512

d62e86094c9468edea83e2f506c970fe51c29d09f3c893a1233828e277d76278842de0f9737ab6dbe467e979da709a34f78ea5006d54bc2e2e9100e56fa62613
SSDEEP

24576:UEqUtbqFIaESpE8uhmTapaUZoluIaxrwiS2:UVUt5XS4cUZo0zr62

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exeschtasks.exe

description ioc process

File opened for modification C:\Windows\ 1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
3656 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
3656	schtasks.exe

Loads dropped DLL 3 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

pid	process
4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "\"C:\\Program Files (x86)\\Client\\client.exe\" -a /a"	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

description	pid	process	target process
PID 4888 set thread context of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 set thread context of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Drops file in Program Files directory 2 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

description	ioc	process
File created	C:\Program Files (x86)\Client\client.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
File opened for modification	C:\Program Files (x86)\Client\client.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Drops file in Windows directory 1 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

description ioc process

File opened for modification C:\Windows\ 1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3656 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

pid	process
3656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

pid	process
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

description pid process

Token: SeDebugPrivilege 4240 1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

pid process

4240 1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

description	pid	process
Token: SeDebugPrivilege	4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
"C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe"
1⤵
- Luminosity
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
"C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
"C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe"
3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
4⤵
- Luminosity
- Creates scheduled task(s)
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj86AA.tmp\System.dll
Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
C:\Users\Admin\AppData\Roaming\IP.dll
Filesize
85KB

MD5
3ce12db61d191b38ecedfee86120698a

SHA1
1712a069b6a6824cc60ec52c073ba1475854e640

SHA256
e0fcb0b7da1c78124836b7fdd521bb4978a784c56613f807d17de905320df443

SHA512
91d988a69188ed371916e0d096bd165c95f7ae991d2e8113646475226c579ed59a5d4cde6d7189ce72dbde973bd1206974185c1e3449a7ec220b8f47cf3ddbb6

Download Submit
C:\Users\Admin\AppData\Roaming\IP.dll
Filesize
85KB

MD5
3ce12db61d191b38ecedfee86120698a

SHA1
1712a069b6a6824cc60ec52c073ba1475854e640

SHA256
e0fcb0b7da1c78124836b7fdd521bb4978a784c56613f807d17de905320df443

SHA512
91d988a69188ed371916e0d096bd165c95f7ae991d2e8113646475226c579ed59a5d4cde6d7189ce72dbde973bd1206974185c1e3449a7ec220b8f47cf3ddbb6

Download Submit
memory/3656-151-0x0000000000000000-mapping.dmp

Download
memory/4240-147-0x0000000000402000-0x0000000000472C00-memory.dmp

Filesize
451KB

Download
memory/4240-145-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4240-150-0x0000000074400000-0x00000000749B1000-memory.dmp

Filesize
5.7MB

Download
memory/4240-140-0x0000000000000000-mapping.dmp

Download
memory/4240-141-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4240-143-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4240-144-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4240-149-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4240-148-0x0000000074400000-0x00000000749B1000-memory.dmp

Filesize
5.7MB

Download
memory/4240-146-0x0000000000402000-0x0000000000472C00-memory.dmp

Filesize
451KB

Download
memory/4748-136-0x0000000000000000-mapping.dmp

Download
memory/4748-137-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4748-139-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4888-135-0x00000000029C0000-0x00000000029DB000-memory.dmp

Filesize
108KB

Download

description	pid	process	target process
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4888 wrote to memory of 4748	4888	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4748 wrote to memory of 4240	4748	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 4240 wrote to memory of 3656	4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	schtasks.exe
PID 4240 wrote to memory of 3656	4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	schtasks.exe
PID 4240 wrote to memory of 3656	4240	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads