ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447

Analysis

max time kernel
114s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447.exe
Size

6.4MB
MD5

99ef07ad489436b49f1021a882346c2a
SHA1

73d6ac8452af287635c9c30b82978b9ae3941ec2
SHA256

ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447
SHA512

d1fb14daecf52b8062a83a2c939f187f314cffae1328e9720f9cb92c925f57a51793d78d2eb4e722ca0ec57f81801bac2767f6d51fc3c93ed8ab27933ff8d173
SSDEEP

98304:6D2cK+lrF6aBDNqzVCTLHigQO8GCbtClVkoOSfJNAUWPAboxTdusHhMm/+1z:6KcK+f6ctT7hQOSlobhCUWP+yddhi

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2980	Luminar Neo_Installer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447.exe
Token: SeDebugPrivilege	2980	Luminar Neo_Installer.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2980	2828	ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447.exe	84
PID 2828 wrote to memory of 2980	2828	ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447.exe	84

C:\Users\Admin\AppData\Local\Temp\ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447.exe
"C:\Users\Admin\AppData\Local\Temp\ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\ProgramData\Luminar Neo\Temp\Luminar Neo_Installer.exe
  "C:\ProgramData\Luminar Neo\Temp\Luminar Neo_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Luminar Neo\Temp\Luminar Neo_Installer.exe

Filesize
6.4MB

MD5
99ef07ad489436b49f1021a882346c2a

SHA1
73d6ac8452af287635c9c30b82978b9ae3941ec2

SHA256
ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447

SHA512
d1fb14daecf52b8062a83a2c939f187f314cffae1328e9720f9cb92c925f57a51793d78d2eb4e722ca0ec57f81801bac2767f6d51fc3c93ed8ab27933ff8d173

Download Submit
C:\ProgramData\Luminar Neo\Temp\Luminar Neo_Installer.exe

Filesize
6.4MB

MD5
99ef07ad489436b49f1021a882346c2a

SHA1
73d6ac8452af287635c9c30b82978b9ae3941ec2

SHA256
ab253ad26c8dc6b0f17e22b0329eed0b187da9cdd9a03e451d6839e6f6034447

SHA512
d1fb14daecf52b8062a83a2c939f187f314cffae1328e9720f9cb92c925f57a51793d78d2eb4e722ca0ec57f81801bac2767f6d51fc3c93ed8ab27933ff8d173

Download Submit
C:\Users\Admin\AppData\Roaming\Luminar Neo\InstallSettings.xml

Filesize
299B

MD5
70153e8ab1df98b52001a6b1caf9ec69

SHA1
28dbdfc83fd2eba1e73a4f4a5675321d9b76fc8c

SHA256
2a4eb389fd244d23d1006760ecd8607722b624f9a2d8f4e743f87243c89bd4c3

SHA512
ade5e199fc863950b357ff4a5b7e135e94148ee3cbd55ae8c5067b6f4e9c4849bda4b827e354604821bb9e0dcffc9fb39ef609af8d39f3a754b3f676a549a482

Download Submit
C:\Users\Admin\AppData\Roaming\Luminar Neo\id.dat

Filesize
3B

MD5
941e1aaaba585b952b62c14a3a175a61

SHA1
9d4650d4e8944e0ebf5c32dd9706abc74343e3a8

SHA256
caa1aedb2a6ce96b39b9fde1a49e1ebcb431b6da4586da0aef56df9b78221d60

SHA512
c8ece451c769e107e3f32c6f8bc0ba61819959335c9b49167667f954f68187fbb89425a6b3d870c7d3f6ee87fdb39c3519e7d968b53f27d8c60110c89aea16f6

Download Submit
memory/2828-133-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-137-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-132-0x000001A2AE8C0000-0x000001A2AEF24000-memory.dmp

Filesize
6.4MB

Download
memory/2980-138-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmp

Filesize
10.8MB

Download
memory/2980-141-0x000001C243AE0000-0x000001C243AE8000-memory.dmp

Filesize
32KB

Download
memory/2980-142-0x000001C2444E0000-0x000001C244518000-memory.dmp

Filesize
224KB

Download
memory/2980-143-0x000001C2444B0000-0x000001C2444BE000-memory.dmp

Filesize
56KB

Download
memory/2980-144-0x000001C246980000-0x000001C246B42000-memory.dmp

Filesize
1.8MB

Download
memory/2980-145-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmp

Filesize
10.8MB

Download