luminosity | 3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d

General

Target

3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
Size

638KB
MD5

1fdd8e8afb5238c0e160774f8b6a8e5b
SHA1

7fa2fc7f6632b3ddadfc930959cf8e6401b7f0de
SHA256

3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d
SHA512

d48b8c2aca82ffb5b7f9e3f9cf53cf75b9c86fda6f06a46e5f1040f12f236f5adccd2076b027c914902e376f6307a948846c095c0ac048c4643f2cd661372884
SSDEEP

12288:uZWg5P5RpcVpQjn8qadSWixuGEQVhz3SlEbshkKnUTcA9OX:Lg95REpQjHak9ufQHyvUA/

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	sysmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\490145\\sysmon.exe\""	sysmon.exe

Executes dropped EXE 2 IoCs

Processes:

sysmon.exesysmon.exe

pid process

2572 sysmon.exe
2476 sysmon.exe
Loads dropped DLL 2 IoCs

Processes:

3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exesysmon.exe

pid process

2216 3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
2572 sysmon.exe

pid	process
2572	sysmon.exe
2476	sysmon.exe

pid	process
2216	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
2572	sysmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\490145\\sysmon.exe\""	sysmon.exe

Drops file in System32 directory 2 IoCs

Processes:

sysmon.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe
File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exesysmon.exe

description	pid	process	target process
PID 1712 set thread context of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 2572 set thread context of 2476	2572	sysmon.exe	sysmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sysmon.exe3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe

pid	process
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2216	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe
2476	sysmon.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe

pid process

2216 3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sysmon.exe

description pid process

Token: SeDebugPrivilege 2476 sysmon.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sysmon.exe

pid process

2476 sysmon.exe

pid	process
2216	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe

description	pid	process
Token: SeDebugPrivilege	2476	sysmon.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exesysmon.exesysmon.exe

description	pid	process	target process
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 1712 wrote to memory of 2216	1712	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 2216 wrote to memory of 2572	2216	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	sysmon.exe
PID 2216 wrote to memory of 2572	2216	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	sysmon.exe
PID 2216 wrote to memory of 2572	2216	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	sysmon.exe
PID 2216 wrote to memory of 2572	2216	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2572 wrote to memory of 2476	2572	sysmon.exe	sysmon.exe
PID 2476 wrote to memory of 2216	2476	sysmon.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 2476 wrote to memory of 2216	2476	sysmon.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 2476 wrote to memory of 2216	2476	sysmon.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 2476 wrote to memory of 2216	2476	sysmon.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
PID 2476 wrote to memory of 2216	2476	sysmon.exe	3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe

C:\Users\Admin\AppData\Local\Temp\3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
"C:\Users\Admin\AppData\Local\Temp\3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe
"C:\Users\Admin\AppData\Local\Temp\3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2216

C:\ProgramData\490145\sysmon.exe
"C:\ProgramData\490145\sysmon.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572

C:\ProgramData\490145\sysmon.exe
"C:\ProgramData\490145\sysmon.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\490145\sysmon.exe
Filesize
638KB

MD5
1fdd8e8afb5238c0e160774f8b6a8e5b

SHA1
7fa2fc7f6632b3ddadfc930959cf8e6401b7f0de

SHA256
3739266e1f38976ad890c6595dde6e398f7dec6fad52b9c5f77aad2853f0833d

SHA512
d48b8c2aca82ffb5b7f9e3f9cf53cf75b9c86fda6f06a46e5f1040f12f236f5adccd2076b027c914902e376f6307a948846c095c0ac048c4643f2cd661372884

Download Submit
memory/1712-3-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-1-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-2-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-22-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-0-0x0000000074AC1000-0x0000000074AC2000-memory.dmp

Filesize
4KB

Download
memory/2216-64-0x0000000002070000-0x0000000002087000-memory.dmp

Filesize
92KB

Download
memory/2216-62-0x0000000002070000-0x0000000002087000-memory.dmp

Filesize
92KB

Download
memory/2216-17-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2216-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-19-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2216-6-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2216-8-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2216-4-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2216-25-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-27-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-72-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-71-0x0000000002070000-0x0000000002087000-memory.dmp

Filesize
92KB

Download
memory/2216-70-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-60-0x0000000002070000-0x0000000002087000-memory.dmp

Filesize
92KB

Download
memory/2216-58-0x0000000002070000-0x0000000002087000-memory.dmp

Filesize
92KB

Download
memory/2216-68-0x0000000002070000-0x0000000002087000-memory.dmp

Filesize
92KB

Download
memory/2216-67-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2216-65-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2216-26-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-21-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2216-59-0x0000000002070000-0x0000000002087000-memory.dmp

Filesize
92KB

Download
memory/2476-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-35-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-54-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-55-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-37-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads