7c792e511605657c9ea000df961649c8564abf29835ff31b6a24575ec804818e

Analysis

max time kernel
12s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lumina.exe
Size

12.9MB
MD5

2701508afb760aa5d0f58a59364327e6
SHA1

56fb1d882761d666be4b07e7744d1ae826c5323b
SHA256

7c792e511605657c9ea000df961649c8564abf29835ff31b6a24575ec804818e
SHA512

1042aaf87a04fff632914b069604916018d009d227d536c175b9da3250aa2e754cf95facb00a2cf738d4e587849edcfb05e97e3a1ab5aaaa5f77bc0114ef30c1
SSDEEP

393216:lxU3LGjuWBBYAV6xBQBkhbLI/4IZOH+hAhTvB:lXBBBj6xWBiwgyOH+hCTvB

Score

9^/10

evasion execution persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Lumina.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Lumina.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Lumina.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Lumina.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Lumina.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Lumina.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Lumina.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Lumina.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Lumina.exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Lumina.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Lumina.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Lumina.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1780	Lumina.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Lumina.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Lumina.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Lumina.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Lumina.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4888	sc.exe
3464	sc.exe
1916	sc.exe
1448	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe
1780	Lumina.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1864	1780	Lumina.exe	84
PID 1780 wrote to memory of 1864	1780	Lumina.exe	84
PID 1864 wrote to memory of 4888	1864	cmd.exe	88
PID 1864 wrote to memory of 4888	1864	cmd.exe	88
PID 1780 wrote to memory of 2976	1780	Lumina.exe	89
PID 1780 wrote to memory of 2976	1780	Lumina.exe	89
PID 2976 wrote to memory of 3464	2976	cmd.exe	91
PID 2976 wrote to memory of 3464	2976	cmd.exe	91
PID 1780 wrote to memory of 2992	1780	Lumina.exe	94
PID 1780 wrote to memory of 2992	1780	Lumina.exe	94
PID 1780 wrote to memory of 1600	1780	Lumina.exe	96
PID 1780 wrote to memory of 1600	1780	Lumina.exe	96
PID 1780 wrote to memory of 1148	1780	Lumina.exe	98
PID 1780 wrote to memory of 1148	1780	Lumina.exe	98
PID 1148 wrote to memory of 1432	1148	cmd.exe	99
PID 1148 wrote to memory of 1432	1148	cmd.exe	99
PID 1148 wrote to memory of 1036	1148	cmd.exe	100
PID 1148 wrote to memory of 1036	1148	cmd.exe	100
PID 2992 wrote to memory of 1916	2992	cmd.exe	101
PID 2992 wrote to memory of 1916	2992	cmd.exe	101
PID 1148 wrote to memory of 1404	1148	cmd.exe	102
PID 1148 wrote to memory of 1404	1148	cmd.exe	102
PID 1600 wrote to memory of 1448	1600	cmd.exe	103
PID 1600 wrote to memory of 1448	1600	cmd.exe	103
PID 1780 wrote to memory of 4820	1780	Lumina.exe	104
PID 1780 wrote to memory of 4820	1780	Lumina.exe	104
PID 1780 wrote to memory of 4984	1780	Lumina.exe	105
PID 1780 wrote to memory of 4984	1780	Lumina.exe	105

C:\Users\Admin\AppData\Local\Temp\Lumina.exe
"C:\Users\Admin\AppData\Local\Temp\Lumina.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:4888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:3464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Lumina.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Lumina.exe" MD5
    3⤵
    PID:1432
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1036
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-0-0x0000000140000000-0x0000000141D1B000-memory.dmp

Filesize
29.1MB

Download
memory/1780-3-0x00007FFE6EC50000-0x00007FFE6EC52000-memory.dmp

Filesize
8KB

Download
memory/1780-1-0x0000000140000000-0x0000000141D1B000-memory.dmp

Filesize
29.1MB

Download
memory/1780-4-0x0000000140000000-0x0000000141D1B000-memory.dmp

Filesize
29.1MB

Download
memory/1780-2-0x0000000140000000-0x0000000141D1B000-memory.dmp

Filesize
29.1MB

Download
memory/1780-15-0x0000000140000000-0x0000000141D1B000-memory.dmp

Filesize
29.1MB

Download