luminosity | cbd083551f8dc04363c802ae11dc1d8c6280ad90f9438d14ce2cbbff949a306f

Analysis

max time kernel
149s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2025, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe
Size

1.6MB
MD5

0786b3ad59868a1b0ee4473c0ba9cf86
SHA1

6f20b197f037abdedf33e81845c09d0091ffd439
SHA256

cbd083551f8dc04363c802ae11dc1d8c6280ad90f9438d14ce2cbbff949a306f
SHA512

1af04092b6713667bd9abb1718e65e9d51f8946d9b609375112db1c21d6856afb69b65b6728a300077844378d27c7f26ba3db53f89a97b9f7fda864b03cea238
SSDEEP

24576:IZ52nQMF3fHOnVnmpXAJnSGDHP5Shf5H62bPb7Lg:IZ52nt3funVnKXAJPDv5ShhH

Score

10^/10

luminosity discovery rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity
Luminosity family
luminosity

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atieclxx.url	SysHex.exe

Executes dropped EXE 2 IoCs

pid	Process
3604	SysTskEdit.exe
5440	SysHex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SysTskEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	SysTskEdit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SysTskEdit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SysTskEdit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe
5440	SysHex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5440	SysHex.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe
828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe
828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5440	SysHex.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 3604	828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe	78
PID 828 wrote to memory of 3604	828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe	78
PID 828 wrote to memory of 3604	828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe	78
PID 828 wrote to memory of 5440	828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe	79
PID 828 wrote to memory of 5440	828	2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe	79
PID 3604 wrote to memory of 1612	3604	SysTskEdit.exe	80
PID 3604 wrote to memory of 1612	3604	SysTskEdit.exe	80
PID 3604 wrote to memory of 1612	3604	SysTskEdit.exe	80

C:\Users\Admin\AppData\Local\Temp\2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-17_0786b3ad59868a1b0ee4473c0ba9cf86_black-basta.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Roaming\Microsoft\SysTskEdit.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\SysTskEdit.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /TN "Updates\Security Update Checker" /XML "C:\Users\Admin\AppData\Local\Temp\x"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1612
- C:\Users\Admin\AppData\Roaming\Microsoft\SysHex.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\SysHex.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5440

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x

Filesize
1KB

MD5
797ca96f83d02a0d905c6d38e5362130

SHA1
f452e67ae43c4418b5f5d1bc63590bf66270b4c7

SHA256
49795564481f44b77e2bc504d2ed99ff1ba9a9b18c16bd88331604bc89b343b6

SHA512
9c0070e6684fa72f639affe1dd4b8a0a8c7ca226b191e0ca2dfa492e69ecf1a5dd3d9bb28fc47ab49d71b3af438aa1fed83442d87785942bf81e1011e458c8c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HexSys.dll

Filesize
5KB

MD5
d4f0ead3d57b99e4107b433116f67761

SHA1
def85833259fe3cfaf8e331e4f6539328f216256

SHA256
1d7d49d55413846037730b5e387195826254f601356e6b1998ee5bee75810621

SHA512
ca67fee920a57e060a039f0b0969355ac2ff8d10d96704c8955be9d877b4f7cbc7ac4c0ea04f13852933a886c9fe35c2e61929af53bde3b2a381cd573d427209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysHex.exe

Filesize
15KB

MD5
acdde8409816de00e5ad3caa0c408281

SHA1
da6be139069d366a683a045d2934b8f2fa251ecb

SHA256
fca0ce253124352237c762862723fac05c5525e50194afc0ea55c88e449be76b

SHA512
c947edf42d76bd93d38124747693b2fc75f620dbdffc3d39283f12d3b0857c47496e3352d170c8c27aac9afb2ac4f6f169b0cefe12efda45e6e64b091a43a8bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysHex.exe.config

Filesize
942B

MD5
f883f377ce6eff0e46aedaf9ed496e3a

SHA1
fffe1141ab9d9fae36d0f74aa46095adb546fa78

SHA256
fafdb4554fd9d9c36b1d0f8911c670db71719907c2124c5d039b58fbd4e31186

SHA512
ea776fb0b6eb1cd4c7a7f90e1bf4a78850e8a0f26cb1c45b3cb30f294c38335d35b70ec6b9bf5b5bafc2ae0e09c4eecf5ad17e200d139b2e66cc756398d11b31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysTskEdit.exe

Filesize
23KB

MD5
a5a9b9dcc78191820ff7655f6ebc6741

SHA1
c59ad66fc06c52281c8ab90541d45ddfa84dfad7

SHA256
4ae4b2103bd542a1b65a0a06227ec1f02c3c4ffb79a4f893901410dcba1c2e66

SHA512
09e79a3e6803157f54b68e07915a6f729c5357ee14262f6755faab343f7015fb93e50e973872f54ffddab80d6e06fb3d1f41da207771dfa522315c986c530b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\youtube.txt

Filesize
567KB

MD5
e41143c7b43e11f82f52cee2ef5026da

SHA1
e2c572b73e24f9389a984ad1fe5127714e876bc6

SHA256
4655f9583cf0058c009a3c40dec93a980237d08acc55ef353f1b98fd8df08075

SHA512
6d875b9e5464cefd3af80cbdab2064821326627b12ce4e504347bfc95871f6e111a535175a1affd5e54515250c8604b0acf43080db4176681ed298d36c83e87a

Download Submit
memory/3604-31-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3604-16-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

Filesize
4KB

Download
memory/3604-17-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3604-18-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/5440-11-0x00007FFC59F73000-0x00007FFC59F75000-memory.dmp

Filesize
8KB

Download
memory/5440-15-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/5440-12-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/5440-33-0x0000000000BD0000-0x0000000000C1E000-memory.dmp

Filesize
312KB

Download
memory/5440-37-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download