luminosity | ea37da43c3c832a93a2b35b5b3123701477856f54a8ab1cedd1fb327530a4310

General

Target

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
Size

2.0MB
MD5

1de77153b8ed0bc19f79036248df5621
SHA1

ded5307d06333b53a86e03cc02224b153910a84d
SHA256

ea37da43c3c832a93a2b35b5b3123701477856f54a8ab1cedd1fb327530a4310
SHA512

c6f9bc13403124f27c20afa3d601b3a4dac3371f180d38b992bd4e25ad9821c9de26b93f66d1fc27377536273a88e3e460512f1fb7040f80921e2c9672e316ac
SSDEEP

49152:wc830v9NCqv6zD6YoMKGEvlsGiDykA8fySqs9uI2rChl:A30v97RTGEts1ykASDqcD

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 28 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5044	schtasks.exe
4584	schtasks.exe
2240	schtasks.exe
4328	schtasks.exe
468	schtasks.exe
4944	schtasks.exe
2976	schtasks.exe
1576	schtasks.exe
3444	schtasks.exe
1192	schtasks.exe
3080	schtasks.exe
2860	schtasks.exe
2832	schtasks.exe
2544	schtasks.exe
4528	schtasks.exe
2112	schtasks.exe
3704	schtasks.exe
3832	schtasks.exe
4828	schtasks.exe
4344	schtasks.exe
2212	schtasks.exe
3496	schtasks.exe
4948	schtasks.exe
2796	schtasks.exe
3508	schtasks.exe
316	schtasks.exe
4324	schtasks.exe
3236	schtasks.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exeMicrosoft.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Microsoft.exe

Executes dropped EXE 4 IoCs

Processes:

Microsoft.exeFile.exesvhost.exesvhost.exe

pid process

3752 Microsoft.exe
1968 File.exe
3972 svhost.exe
2584 svhost.exe

pid	process
3752	Microsoft.exe
1968	File.exe
3972	svhost.exe
2584	svhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft = "cmd /c \"start \"Microsoft\" \"C:\\Program Files (x86)\\Microsoft\\INJECTOR.exe\""	REG.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

Microsoft.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	Microsoft.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Microsoft.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exeMicrosoft.exe

description	pid	process	target process
PID 2532 set thread context of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 3752 set thread context of 2584	3752	Microsoft.exe	svhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

svhost.exesvhost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\INJECTOR.exe	svhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\INJECTOR.exe	svhost.exe
File created	C:\Program Files (x86)\Microsoft\Injector.exe	svhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Injector.exe	svhost.exe

Drops file in Windows directory 3 IoCs

Processes:

Microsoft.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	Microsoft.exe
File created	C:\Windows\assembly\Desktop.ini	Microsoft.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3080 schtasks.exe

pid	process
3080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exeMicrosoft.exesvhost.exeFile.exe

pid	process
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
3752	Microsoft.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
3752	Microsoft.exe
3752	Microsoft.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
3752	Microsoft.exe
3752	Microsoft.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
3752	Microsoft.exe
3752	Microsoft.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
3752	Microsoft.exe
3752	Microsoft.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
3752	Microsoft.exe
3752	Microsoft.exe
3972	svhost.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
3752	Microsoft.exe
3752	Microsoft.exe
3972	svhost.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
3752	Microsoft.exe
3752	Microsoft.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
1968	File.exe
1968	File.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe
3972	svhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exeMicrosoft.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
Token: SeDebugPrivilege	3752	Microsoft.exe
Token: SeDebugPrivilege	3972	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid process

3972 svhost.exe

pid	process
3972	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1de77153b8ed0bc19f79036248df5621_JaffaCakes118.execmd.exeMicrosoft.execmd.exesvhost.exe

description	pid	process	target process
PID 2532 wrote to memory of 3752	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	Microsoft.exe
PID 2532 wrote to memory of 3752	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	Microsoft.exe
PID 2532 wrote to memory of 3752	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	Microsoft.exe
PID 2532 wrote to memory of 3908	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	cmd.exe
PID 2532 wrote to memory of 3908	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	cmd.exe
PID 2532 wrote to memory of 3908	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	cmd.exe
PID 3908 wrote to memory of 2344	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 2344	3908	cmd.exe	reg.exe
PID 3908 wrote to memory of 2344	3908	cmd.exe	reg.exe
PID 3752 wrote to memory of 1968	3752	Microsoft.exe	File.exe
PID 3752 wrote to memory of 1968	3752	Microsoft.exe	File.exe
PID 3752 wrote to memory of 1968	3752	Microsoft.exe	File.exe
PID 3752 wrote to memory of 2092	3752	Microsoft.exe	cmd.exe
PID 3752 wrote to memory of 2092	3752	Microsoft.exe	cmd.exe
PID 3752 wrote to memory of 2092	3752	Microsoft.exe	cmd.exe
PID 2532 wrote to memory of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 2532 wrote to memory of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 2532 wrote to memory of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 2532 wrote to memory of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 2532 wrote to memory of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 2532 wrote to memory of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 2532 wrote to memory of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 2532 wrote to memory of 3972	2532	1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe	svhost.exe
PID 2092 wrote to memory of 3080	2092	cmd.exe	reg.exe
PID 2092 wrote to memory of 3080	2092	cmd.exe	reg.exe
PID 2092 wrote to memory of 3080	2092	cmd.exe	reg.exe
PID 3752 wrote to memory of 2584	3752	Microsoft.exe	svhost.exe
PID 3752 wrote to memory of 2584	3752	Microsoft.exe	svhost.exe
PID 3752 wrote to memory of 2584	3752	Microsoft.exe	svhost.exe
PID 3752 wrote to memory of 2584	3752	Microsoft.exe	svhost.exe
PID 3752 wrote to memory of 2584	3752	Microsoft.exe	svhost.exe
PID 3752 wrote to memory of 2584	3752	Microsoft.exe	svhost.exe
PID 3752 wrote to memory of 2584	3752	Microsoft.exe	svhost.exe
PID 3752 wrote to memory of 2584	3752	Microsoft.exe	svhost.exe
PID 3972 wrote to memory of 4828	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4828	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4828	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 2112	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 2112	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 2112	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 1968	3972	svhost.exe	File.exe
PID 3972 wrote to memory of 1968	3972	svhost.exe	File.exe
PID 3972 wrote to memory of 1968	3972	svhost.exe	File.exe
PID 3972 wrote to memory of 1968	3972	svhost.exe	File.exe
PID 3972 wrote to memory of 1968	3972	svhost.exe	File.exe
PID 3972 wrote to memory of 4584	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4584	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4584	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4324	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4324	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4324	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4344	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4344	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 4344	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 2240	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 2240	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 2240	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 1128	3972	svhost.exe	REG.exe
PID 3972 wrote to memory of 1128	3972	svhost.exe	REG.exe
PID 3972 wrote to memory of 1128	3972	svhost.exe	REG.exe
PID 3972 wrote to memory of 2976	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 2976	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 2976	3972	svhost.exe	schtasks.exe
PID 3972 wrote to memory of 468	3972	svhost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe.lnk " /f
4⤵
PID:3080

C:\Users\Admin\AppData\Roaming\svhost.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2584

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftUpdates\Microsoft.exe.lnk " /f
3⤵
PID:2344

C:\Users\Admin\AppData\Roaming\svhost.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:4828

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:2112

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:4584

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:4324

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:4344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:2240

C:\Windows\SysWOW64\REG.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Microsoft" /d "cmd /c """start """Microsoft""" """C:\Program Files (x86)\Microsoft\INJECTOR.exe"""" /f /reg:64
3⤵
- Adds Run key to start application
PID:1128

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:2976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:2860

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:1576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:5044

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:4944

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:2212

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:3444

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:3496

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:4948

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:2832

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:2796

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:3704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:2544

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:4328

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:3832

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:1192

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:3508

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:4528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:316

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
PID:3236

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Microsoft" /tr "'C:\Program Files (x86)\Microsoft\INJECTOR.exe' /startup" /sc MINUTE /f /rl highest
3⤵
- Luminosity
- Creates scheduled task(s)
PID:3080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
33KB

MD5
27c0d8847cf9c01995d98b859c1ce1a7

SHA1
7e90992873d538c5fe8dc9bae310f21a1ad26107

SHA256
041bfb806d735dc68e2fe143d4ef83194164f6ee5f56bd5e793b3d0ae372e187

SHA512
04a134b1d929abcdde4ef6b9e38a64fbc72ce8f66c2750cd6515c9420d2e658f83b12b93b3dd3ab07c1be81a83ff29a9855e09fe798829b18564fc5804e47d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
Filesize
1.0MB

MD5
36c4cec334ef23d1be8f41c38018fa02

SHA1
cca0878895d0990af14e3b5ff434bd5ca5d9f864

SHA256
0a1ad5541cebb570dcb272b6e3519fda98fdeca62f6f426fe445cc4f63448cea

SHA512
a1aca735db5b536d4fb2c118d24b9bf11a6724caff2e715b9f37c7d45ae8a5185f15d797ec37398a92b3a6abdac7d759e1cec11203ec133a98e826cb125c3ab9

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftUpdates\Microsoft.exe
Filesize
2.0MB

MD5
1de77153b8ed0bc19f79036248df5621

SHA1
ded5307d06333b53a86e03cc02224b153910a84d

SHA256
ea37da43c3c832a93a2b35b5b3123701477856f54a8ab1cedd1fb327530a4310

SHA512
c6f9bc13403124f27c20afa3d601b3a4dac3371f180d38b992bd4e25ad9821c9de26b93f66d1fc27377536273a88e3e460512f1fb7040f80921e2c9672e316ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe.lnk
Filesize
859B

MD5
cd7567cdc482fa7fc8676f2c09ac27be

SHA1
f67b44495f752f84cb25b4a676c1398b9d3a1e61

SHA256
b598223917540568b4c5e35e2568219ce0adc8f8b5414579766bc9778665db45

SHA512
3c85483f6f718ec65350f5ef15ba608583bee287c2b6739d3b183f38d3fcc811c2b4448925c923fbaafba98d48a49e371784ac892fa131397ac471a1c183b970

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/1968-56-0x0000000002000000-0x0000000002017000-memory.dmp

Filesize
92KB

Download
memory/1968-53-0x0000000002000000-0x0000000002017000-memory.dmp

Filesize
92KB

Download
memory/1968-54-0x0000000002000000-0x0000000002017000-memory.dmp

Filesize
92KB

Download
memory/1968-55-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1968-52-0x0000000002000000-0x0000000002017000-memory.dmp

Filesize
92KB

Download
memory/2532-48-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/2532-0-0x0000000075092000-0x0000000075093000-memory.dmp

Filesize
4KB

Download
memory/2532-2-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/2532-1-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3752-50-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3752-13-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3752-12-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3752-11-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3972-33-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads