luminosity | 38f65385a0767c22fb3fb3c181ad1dcd576dd9f623ef6aa3df6c01e2b50d5c61

General

Target

e-catalog.pdf.scr
Size

1.2MB
MD5

3f379c45cf293566709f473ea1f38125
SHA1

825af50daf0146a5f16aa6e3f59fa5320def4735
SHA256

94b795d57617222666cc16d4c9928841d781ba8d2406a188314e51a48f5d10da
SHA512

7a124fe558e4d8d1aed01be8d5d9720e7fc07d2f4a7215392eb4e4883e2191820a2e45f36c922e49aa2989301f379f43361d11558b43f4b6d814140eb6e90add
SSDEEP

24576:s+o/NuOhnPXVW9+E7a64d968HFghHqnqXg6cU9KXLNJCR+0MNDjCO4pF:IlvnPlW9+En4d08lghHqqQqoGsDjCNF

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 3 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

e-catalog.pdf.scrschtasks.exeschtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\SystemCertificates\CA	e-catalog.pdf.scr
3776	schtasks.exe
4880	schtasks.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4880 schtasks.exe

pid	process
4880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e-catalog.pdf.scr

pid	process
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr
3520	e-catalog.pdf.scr

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e-catalog.pdf.scr

pid process

3520 e-catalog.pdf.scr
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e-catalog.pdf.scrclient.exe

description pid process

Token: SeDebugPrivilege 3520 e-catalog.pdf.scr
Token: SeDebugPrivilege 4068 client.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e-catalog.pdf.scrclient.exe

pid process

3520 e-catalog.pdf.scr
4068 client.exe

description	pid	process
Token: SeDebugPrivilege	3520	e-catalog.pdf.scr
Token: SeDebugPrivilege	4068	client.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e-catalog.pdf.scrclient.exe

description	pid	process	target process
PID 3520 wrote to memory of 3776	3520	e-catalog.pdf.scr	schtasks.exe
PID 3520 wrote to memory of 3776	3520	e-catalog.pdf.scr	schtasks.exe
PID 3520 wrote to memory of 3776	3520	e-catalog.pdf.scr	schtasks.exe
PID 3520 wrote to memory of 1836	3520	e-catalog.pdf.scr	REG.exe
PID 3520 wrote to memory of 1836	3520	e-catalog.pdf.scr	REG.exe
PID 3520 wrote to memory of 1836	3520	e-catalog.pdf.scr	REG.exe
PID 3520 wrote to memory of 4068	3520	e-catalog.pdf.scr	client.exe
PID 3520 wrote to memory of 4068	3520	e-catalog.pdf.scr	client.exe
PID 3520 wrote to memory of 4068	3520	e-catalog.pdf.scr	client.exe
PID 3520 wrote to memory of 4068	3520	e-catalog.pdf.scr	client.exe
PID 3520 wrote to memory of 4068	3520	e-catalog.pdf.scr	client.exe
PID 4068 wrote to memory of 4880	4068	client.exe	schtasks.exe
PID 4068 wrote to memory of 4880	4068	client.exe	schtasks.exe
PID 4068 wrote to memory of 4880	4068	client.exe	schtasks.exe
PID 4068 wrote to memory of 3668	4068	client.exe	REG.exe
PID 4068 wrote to memory of 3668	4068	client.exe	REG.exe
PID 4068 wrote to memory of 3668	4068	client.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\e-catalog.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\e-catalog.pdf.scr" /S
1⤵
- Luminosity
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
  2⤵
  - Luminosity
  PID:3776
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
  2⤵
  - Adds Run key to start application
  PID:1836

C:\Program Files (x86)\Client\client.exe
"C:\Program Files (x86)\Client\client.exe" /startup
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
  2⤵
  - Luminosity
  - Creates scheduled task(s)
  PID:4880
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
  2⤵
  - Adds Run key to start application
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
b8580ddaa0a4baef024bf6dc0235a5fd

SHA1
2b70d795ff52433de6b45fbc180d34f05ac11f34

SHA256
0cac8b67ae22816af07ff37e607ec304b1c670ac792f45f34672dc6d613c4d61

SHA512
cb77d6b3b3cb20ff7bb84ec0c83e8ff3d0f1c916cdd1b76bf8ad9b4019afdcbde7043603177e19319867e653b386b0396680fafd26b06764df53a8372a1ecd80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162

Filesize
471B

MD5
5fc585ad8ccb121d30a05982c2d33bb1

SHA1
a2cb274463a1945a875c80731afd01855abb32e3

SHA256
54a4e08a1d51525e6721b5cf219edb9649195c623a57667ea9e53a50c479b01d

SHA512
0ecc3f89130f802b38c8ff9a6fab3be68f12b09943529ab877cd8207f3100969e06df2b9bd0d5e61eec1dd9cbc3a34ab99e85fe6bd5dd71afda9736993caa9d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
57b5d23446faba5a5f7c52fb235b3415

SHA1
58009d9b9c4aa2d3ddabb5641a1e40a29f847b12

SHA256
cb77b447657c0f319e3be7b17908d89221e8ecabbb64c7e2bfadba2f2390874b

SHA512
a1907a067f4e0a76d3a2c9d17f0226f70e9544c8af728165bbab95434a04ddbc11fde7e349875f3094c58e7dd444243f0c67f844d98d6864d42c21b8c13a4ef7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162

Filesize
400B

MD5
0396138381af1c342ec08abcf44a3ab8

SHA1
7b0f427c58e5629977283f5af22439dc334fbf17

SHA256
d5dd788d8aa8b6b4c94dbf08bee02aa17e4c791f9e67a3f7f60b81528ceab24e

SHA512
555f837a3fbba4e997f4315137239a3c03857cb11f60dfccf1dcb5d93236ed6f750d2b67c88a22530c05b1889fc4fd4e1d022bbca62c42ce044e14ec2cfaabf7

Download Submit
memory/3520-1-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/3520-2-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/3520-11-0x0000000075012000-0x0000000075013000-memory.dmp

Filesize
4KB

Download
memory/3520-12-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/3520-0-0x0000000075012000-0x0000000075013000-memory.dmp

Filesize
4KB

Download
memory/4068-13-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-14-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-20-0x0000000004C40000-0x0000000004C57000-memory.dmp

Filesize
92KB

Download
memory/4068-22-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4068-19-0x0000000004C40000-0x0000000004C57000-memory.dmp

Filesize
92KB

Download
memory/4068-23-0x0000000004C40000-0x0000000004C57000-memory.dmp

Filesize
92KB

Download
memory/4068-21-0x0000000004C40000-0x0000000004C57000-memory.dmp

Filesize
92KB

Download
memory/4068-25-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-26-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-27-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-28-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads