luminosity | 38f65385a0767c22fb3fb3c181ad1dcd576dd9f623ef6aa3df6c01e2b50d5c61

General

Target

e-cataloge.pdf.exe
Size

1.2MB
MD5

3f379c45cf293566709f473ea1f38125
SHA1

825af50daf0146a5f16aa6e3f59fa5320def4735
SHA256

94b795d57617222666cc16d4c9928841d781ba8d2406a188314e51a48f5d10da
SHA512

7a124fe558e4d8d1aed01be8d5d9720e7fc07d2f4a7215392eb4e4883e2191820a2e45f36c922e49aa2989301f379f43361d11558b43f4b6d814140eb6e90add
SSDEEP

24576:s+o/NuOhnPXVW9+E7a64d968HFghHqnqXg6cU9KXLNJCR+0MNDjCO4pF:IlvnPlW9+En4d08lghHqqQqoGsDjCNF

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 3 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

e-cataloge.pdf.exeschtasks.exeschtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\CA	e-cataloge.pdf.exe
1972	schtasks.exe
1656	schtasks.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1656 schtasks.exe

pid	process
1656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e-cataloge.pdf.exe

pid	process
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe
4816	e-cataloge.pdf.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e-cataloge.pdf.exe

pid process

4816 e-cataloge.pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e-cataloge.pdf.execlient.exe

description pid process

Token: SeDebugPrivilege 4816 e-cataloge.pdf.exe
Token: SeDebugPrivilege 1756 client.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e-cataloge.pdf.execlient.exe

pid process

4816 e-cataloge.pdf.exe
1756 client.exe

description	pid	process
Token: SeDebugPrivilege	4816	e-cataloge.pdf.exe
Token: SeDebugPrivilege	1756	client.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e-cataloge.pdf.execlient.exe

description	pid	process	target process
PID 4816 wrote to memory of 1972	4816	e-cataloge.pdf.exe	schtasks.exe
PID 4816 wrote to memory of 1972	4816	e-cataloge.pdf.exe	schtasks.exe
PID 4816 wrote to memory of 1972	4816	e-cataloge.pdf.exe	schtasks.exe
PID 4816 wrote to memory of 792	4816	e-cataloge.pdf.exe	REG.exe
PID 4816 wrote to memory of 792	4816	e-cataloge.pdf.exe	REG.exe
PID 4816 wrote to memory of 792	4816	e-cataloge.pdf.exe	REG.exe
PID 4816 wrote to memory of 1756	4816	e-cataloge.pdf.exe	client.exe
PID 4816 wrote to memory of 1756	4816	e-cataloge.pdf.exe	client.exe
PID 4816 wrote to memory of 1756	4816	e-cataloge.pdf.exe	client.exe
PID 4816 wrote to memory of 1756	4816	e-cataloge.pdf.exe	client.exe
PID 4816 wrote to memory of 1756	4816	e-cataloge.pdf.exe	client.exe
PID 1756 wrote to memory of 1656	1756	client.exe	schtasks.exe
PID 1756 wrote to memory of 1656	1756	client.exe	schtasks.exe
PID 1756 wrote to memory of 1656	1756	client.exe	schtasks.exe
PID 1756 wrote to memory of 3660	1756	client.exe	REG.exe
PID 1756 wrote to memory of 3660	1756	client.exe	REG.exe
PID 1756 wrote to memory of 3660	1756	client.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\e-cataloge.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\e-cataloge.pdf.exe"
1⤵
- Luminosity
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
  2⤵
  - Luminosity
  PID:1972
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
  2⤵
  - Adds Run key to start application
  PID:792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3668,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
1⤵
PID:4420

C:\Program Files (x86)\Client\client.exe
"C:\Program Files (x86)\Client\client.exe" /startup
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest
  2⤵
  - Luminosity
  - Creates scheduled task(s)
  PID:1656
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
  2⤵
  - Adds Run key to start application
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
b8580ddaa0a4baef024bf6dc0235a5fd

SHA1
2b70d795ff52433de6b45fbc180d34f05ac11f34

SHA256
0cac8b67ae22816af07ff37e607ec304b1c670ac792f45f34672dc6d613c4d61

SHA512
cb77d6b3b3cb20ff7bb84ec0c83e8ff3d0f1c916cdd1b76bf8ad9b4019afdcbde7043603177e19319867e653b386b0396680fafd26b06764df53a8372a1ecd80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162

Filesize
471B

MD5
5fc585ad8ccb121d30a05982c2d33bb1

SHA1
a2cb274463a1945a875c80731afd01855abb32e3

SHA256
54a4e08a1d51525e6721b5cf219edb9649195c623a57667ea9e53a50c479b01d

SHA512
0ecc3f89130f802b38c8ff9a6fab3be68f12b09943529ab877cd8207f3100969e06df2b9bd0d5e61eec1dd9cbc3a34ab99e85fe6bd5dd71afda9736993caa9d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
eb0ef1535d964e5518bcb7d0391a8336

SHA1
e2105f1366bc116631ca6f24fcd20df5ab715815

SHA256
e4c4b9cdf7cea1bb8ff6f535649d7870fe5ae973fc867915680e7df8bb69b80f

SHA512
cbc398d96aec0015f97073e22179e9e6d4eed389241265760955e580bb7e1cf4cf49391701fc29e3380da489fc73549ecbe72a1ac8fb129144d80e77831ecfdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162

Filesize
400B

MD5
6d67ce1a3e5c8429dea0ddea81ce60ad

SHA1
51d5798d92d9e8c6edd8cd54ee3068e573834ac2

SHA256
a7415fda15b910cd07c241bb66614a2113473362a2734bde3eac7c3c6bd85c9b

SHA512
01c24e47e2bfa969606ba39cc703963fcf928d1c207437d2b3ae74fc9be868d7cd4eb83431962f0fe7157a6303cb951dc0c1a2c921c714fe6c376673a1ca2528

Download Submit
memory/1756-15-0x0000000001020000-0x0000000001037000-memory.dmp

Filesize
92KB

Download
memory/1756-24-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1756-17-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/1756-16-0x0000000001020000-0x0000000001037000-memory.dmp

Filesize
92KB

Download
memory/1756-26-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1756-14-0x0000000001020000-0x0000000001037000-memory.dmp

Filesize
92KB

Download
memory/1756-18-0x0000000001020000-0x0000000001037000-memory.dmp

Filesize
92KB

Download
memory/1756-13-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/1756-25-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-12-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4816-11-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/4816-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads