luminosity | 0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe
Size

1.0MB
MD5

45ae334cb824152afd9d25d3434a4660
SHA1

fb7987c916480bedf81d598227bf2ea92f0239a1
SHA256

0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618
SHA512

2e0f3412aa1e40a83da119a91be54fe1179a69cf3c873945e648cd96368c8b93f1f0283d4c6a86e414ec71df903332cbf78bb585bbcc7b9bc88ccac8d0c212a5
SSDEEP

12288:7JuDFhY9HGbus7YjeLIcSdThuQsx9I9UF8KRNQ9HalPfz9QqDieQqLu/T/EUvvMv:7+hGSSc5sus9Ux0Hal/LvpJv2V4a4

Score

10^/10

luminosity discovery persistence rat

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe
		5036	schtasks.exe

Luminosity family
luminosity

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bDBQhIKXVVbPZJSU.cmd.lnk	QbLYCBPGXPbYIDYcPIDgL.cmd

Executes dropped EXE 1 IoCs

pid	Process
4848	QbLYCBPGXPbYIDYcPIDgL.cmd

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "\"C:\\Program Files (x86)\\Client\\client.exe\" -a /a"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 3080	4848	QbLYCBPGXPbYIDYcPIDgL.cmd	84

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Client\client.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Client\client.exe	RegAsm.exe
File created	C:\Program Files (x86)\Client\client.exe.config	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QbLYCBPGXPbYIDYcPIDgL.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	QbLYCBPGXPbYIDYcPIDgL.cmd
4848	QbLYCBPGXPbYIDYcPIDgL.cmd
4848	QbLYCBPGXPbYIDYcPIDgL.cmd
4848	QbLYCBPGXPbYIDYcPIDgL.cmd
4848	QbLYCBPGXPbYIDYcPIDgL.cmd
4848	QbLYCBPGXPbYIDYcPIDgL.cmd
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe
3080	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3080	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4848	1708	0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe	83
PID 1708 wrote to memory of 4848	1708	0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe	83
PID 1708 wrote to memory of 4848	1708	0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe	83
PID 4848 wrote to memory of 3080	4848	QbLYCBPGXPbYIDYcPIDgL.cmd	84
PID 4848 wrote to memory of 3080	4848	QbLYCBPGXPbYIDYcPIDgL.cmd	84
PID 4848 wrote to memory of 3080	4848	QbLYCBPGXPbYIDYcPIDgL.cmd	84
PID 4848 wrote to memory of 3080	4848	QbLYCBPGXPbYIDYcPIDgL.cmd	84
PID 4848 wrote to memory of 3080	4848	QbLYCBPGXPbYIDYcPIDgL.cmd	84
PID 3080 wrote to memory of 5036	3080	RegAsm.exe	99
PID 3080 wrote to memory of 5036	3080	RegAsm.exe	99
PID 3080 wrote to memory of 5036	3080	RegAsm.exe	99

C:\Users\Admin\AppData\Local\Temp\0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe
"C:\Users\Admin\AppData\Local\Temp\0262a0e0d5a9ab4e1d118c14d111319fa4d35000f487fadf4dc1fb12f686e618N.exe"
1⤵
- Luminosity
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmd
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmd QbLYCBPGXPbYIDYcPID
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    - CmdLine Args
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
      4⤵
      Luminosity
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Client\client.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Program Files (x86)\Client\client.exe.config

Filesize
181B

MD5
0366f988e5ea426d80338070d8fa241b

SHA1
153b90af59d0598a0d5f5e083cb7ff24e2f7adcf

SHA256
325b14941e79aeb570eb4062714d446f70b51db3c14fa58c5d2f90c8dafe3c3e

SHA512
563a39c5958ae6f507e37923959a8a2608c7e9a6f338053edc142d8038849043c6050df2946116876102704ff14d6b36314aca468d91a7f3279754df2aba0bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPID

Filesize
35KB

MD5
72b36c12497445f37160a6d0161cb995

SHA1
da8f1a93a7bc5ef1ee0430367dcd776c646b6cbe

SHA256
4761f4a8b757b9c6cf7bb37bdf973b4a09e7bf93d3d21149172ec77a3ccd9552

SHA512
a0707acb63702f1e095887eef1f130991233a329a5c142a33cef3243682be6742b046fba186ada03970ad2af50a5a161026f2146f4f5d7930fff4961b8dccf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmd

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bDBQhIKXVVbP

Filesize
452KB

MD5
ad73d8fae345ee6c61d81f9c9b6abe73

SHA1
e26043ea314136beaf98e7bcfcc902b60282c412

SHA256
978222e1962291bf90244b8593c90a14251fbcd4f313ef1e4619e4c83c72bac5

SHA512
f696356c32fc101ce6c7096edb8c95ec1b6363102e18c924292db862e2cc88fc7ed87c93f43ad8c5955c1e59eb0d0004dd4140db0649557368ce24dd850be39d

Download Submit
memory/3080-18-0x0000000000410000-0x0000000000488000-memory.dmp

Filesize
480KB

Download
memory/3080-23-0x0000000073AA2000-0x0000000073AA3000-memory.dmp

Filesize
4KB

Download
memory/3080-26-0x0000000073AA0000-0x0000000074051000-memory.dmp

Filesize
5.7MB

Download
memory/3080-27-0x0000000073AA0000-0x0000000074051000-memory.dmp

Filesize
5.7MB

Download
memory/3080-30-0x0000000073AA2000-0x0000000073AA3000-memory.dmp

Filesize
4KB

Download
memory/3080-31-0x0000000073AA0000-0x0000000074051000-memory.dmp

Filesize
5.7MB

Download
memory/4848-17-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download