File name:

LuminosityLink.bin

Full analysis: https://app.any.run/tasks/5087a6af-bd3a-4373-89b6-e610b968bd6d
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: June 27, 2024, 12:24:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

516E4E9FAA2040830ABA8F5EBC116CEC

SHA1:

DEB133E2A7C7E6EA374533BA2CBB97F1F26FE4CF

SHA256:

F0C6BD170BE6A9356D706A90BB7339F72AFB235AA17515748D02D14B35C15A29

SSDEEP:

98304:EMqPctlOEZJvlt0265kKd0Zhfad9QcSrqU966blCVpa6WE2+wv6+35DGdfknZ6nV:y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • LuminosityLink.bin.exe (PID: 3416)
      • svch34.exe (PID: 2100)

    • Create files in the Startup directory

      • svch34.exe (PID: 2100)

    • Connects to the CnC server

      • vbc.exe (PID: 2980)

  • SUSPICIOUS

    • Reads the Internet Settings

      • LuminosityLink.bin.exe (PID: 3416)
      • LuminosityLink.exe (PID: 3100)

    • Reads security settings of Internet Explorer

      • LuminosityLink.bin.exe (PID: 3416)

    • Executable content was dropped or overwritten

      • LuminosityLink.bin.exe (PID: 3416)
      • svch34.exe (PID: 2100)

    • The process executes VB scripts

      • svch34.exe (PID: 2100)

    • Crypto Currency Mining Activity Detected

      • vbc.exe (PID: 2980)

    • Potential Corporate Privacy Violation

      • vbc.exe (PID: 2980)

  • INFO

    • Reads the computer name

      • LuminosityLink.bin.exe (PID: 3416)
      • svch34.exe (PID: 2100)
      • vbc.exe (PID: 2980)
      • LuminosityLink.exe (PID: 3100)

    • Creates files or folders in the user directory

      • LuminosityLink.bin.exe (PID: 3416)
      • LuminosityLink.exe (PID: 3100)
      • svch34.exe (PID: 2100)

    • Checks supported languages

      • LuminosityLink.bin.exe (PID: 3416)
      • LuminosityLink.exe (PID: 3100)
      • svch34.exe (PID: 2100)
      • vbc.exe (PID: 2980)

    • Reads the machine GUID from the registry

      • LuminosityLink.bin.exe (PID: 3416)
      • LuminosityLink.exe (PID: 3100)
      • vbc.exe (PID: 2980)

    • Disables trace logs

      • LuminosityLink.exe (PID: 3100)

    • Reads Environment values

      • LuminosityLink.exe (PID: 3100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:11:04 15:50:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 5103104
InitializedDataSize: 6144
UninitializedDataSize: -
EntryPoint: 0x4dfd5e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: System Administration Tool
CompanyName: Luminosity.Link
FileDescription: LuminosityLink
FileVersion: 1.1.0.0
InternalName: LuminosityLink.exe
LegalCopyright: Copyright © 2015 KFC Watermelon
LegalTrademarks: LuminosityLink
OriginalFileName: LuminosityLink.exe
ProductName: LuminosityLink
ProductVersion: 1.1.0.0
AssemblyVersion: 1.1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start luminositylink.bin.exe luminositylink.exe no specs luminositylink.exe svch34.exe vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2100"C:\Users\admin\AppData\Roaming\svch34.exe" C:\Users\admin\AppData\Roaming\svch34.exe
LuminosityLink.bin.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
SysUpdate
Version:
2.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\svch34.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2980C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe --donate-level 1 -opool.minemonero.pro:80 -u 43rNHCDmDyLfuva3DKLgb31RgvZdrPoG68wuv3JcPgAH36wKoKaDahThLGjhGwLfqJCPLWgrFtfszXAknLLCCGJCMVLdUrQ -p USER-PC -t 2C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
svch34.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Version:
8.0.50727.5483
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3100"C:\Users\admin\AppData\Roaming\LuminosityLink.exe" C:\Users\admin\AppData\Roaming\LuminosityLink.exe
LuminosityLink.bin.exe
User:
admin
Company:
Luminosity.Link
Integrity Level:
HIGH
Description:
LuminosityLink
Version:
1.1.0.0
Modules
Images
c:\users\admin\appdata\roaming\luminositylink.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3252"C:\Users\admin\AppData\Roaming\LuminosityLink.exe" C:\Users\admin\AppData\Roaming\LuminosityLink.exeLuminosityLink.bin.exe
User:
admin
Company:
Luminosity.Link
Integrity Level:
MEDIUM
Description:
LuminosityLink
Exit code:
3221226540
Version:
1.1.0.0
Modules
Images
c:\users\admin\appdata\roaming\luminositylink.exe
c:\windows\system32\ntdll.dll
3416"C:\Users\admin\Desktop\LuminosityLink.bin.exe" C:\Users\admin\Desktop\LuminosityLink.bin.exe
explorer.exe
User:
admin
Company:
Luminosity.Link
Integrity Level:
MEDIUM
Description:
LuminosityLink
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\users\admin\desktop\luminositylink.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
4 262
Read events
4 236
Write events
26
Delete events
0

Modification events

(PID) Process:(3416) LuminosityLink.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3416) LuminosityLink.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3416) LuminosityLink.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3416) LuminosityLink.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3100) LuminosityLink.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LuminosityLink_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3100) LuminosityLink.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LuminosityLink_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3100) LuminosityLink.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LuminosityLink_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3100) LuminosityLink.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LuminosityLink_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3100) LuminosityLink.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LuminosityLink_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3100) LuminosityLink.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LuminosityLink_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2100svch34.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4h6f6awmv7wz.exeexecutable
MD5:F9401F60BC20A016506B6F68DCA40FA2
SHA256:DDABA14A017DD5A54914947E45F40168AA67439936BD4B0ADFE5A726FE29243B
2100svch34.exeC:\Users\admin\AppData\Local\4h6f6awmv7wz.exeexecutable
MD5:F9401F60BC20A016506B6F68DCA40FA2
SHA256:DDABA14A017DD5A54914947E45F40168AA67439936BD4B0ADFE5A726FE29243B
2100svch34.exeC:\Users\admin\AppData\Local\oldmintext
MD5:99D35937CB6CDEB410DFEDEA83361F6A
SHA256:321396426D940DAE026E5B85FFACC9D3B86055AE7A338C5DBFB4C855A652451D
3416LuminosityLink.bin.exeC:\Users\admin\AppData\Roaming\svch34.exeexecutable
MD5:F9401F60BC20A016506B6F68DCA40FA2
SHA256:DDABA14A017DD5A54914947E45F40168AA67439936BD4B0ADFE5A726FE29243B
3416LuminosityLink.bin.exeC:\Users\admin\AppData\Roaming\LuminosityLink.exeexecutable
MD5:95BE46C0DECE46ED2663998B8E7A24C3
SHA256:B54322095BA18E1763DDCDEA4580662B923B8A393A7C1881BA6D571E28AF2B22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
7
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3100
LuminosityLink.exe
GET
301
162.125.72.15:80
http://dl.dropboxusercontent.com/u/31424042/Luminosity/GeoIP.dat
unknown
unknown
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
3100
LuminosityLink.exe
162.125.72.15:80
dl.dropboxusercontent.com
DROPBOX
US
unknown
3100
LuminosityLink.exe
162.125.72.15:443
dl.dropboxusercontent.com
DROPBOX
US
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
dl.dropboxusercontent.com
  • 162.125.72.15
shared
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
pool.minemonero.pro
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

PID
Process
Class
Message
3100
LuminosityLink.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
3100
LuminosityLink.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
2980
vbc.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2980
vbc.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2980
vbc.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2980
vbc.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2980
vbc.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2980
vbc.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2980
vbc.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2980
vbc.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LuminosityLink.bin