Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3Neo/Lumina...-2.bin
windows7-x64
3Neo/Lumina...-2.bin
windows10-2004-x64
3Neo/Lumina...up.exe
windows7-x64
7Neo/Lumina...up.exe
windows10-2004-x64
7Neo/Reg.reg
windows7-x64
1Neo/Reg.reg
windows10-2004-x64
1Neo/rapidg...et.url
windows7-x64
6Neo/rapidg...et.url
windows10-2004-x64
3Analysis
-
max time kernel
295s -
max time network
317s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 10:17
Static task
static1
Behavioral task
behavioral1
Sample
Neo/LuminarNeoSetup-2.bin
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Neo/LuminarNeoSetup-2.bin
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Neo/LuminarNeoSetup.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Neo/LuminarNeoSetup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Neo/Reg.reg
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Neo/Reg.reg
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
Neo/rapidgator.net.url
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
Neo/rapidgator.net.url
Resource
win10v2004-20240709-en
General
-
Target
Neo/LuminarNeoSetup-2.bin
-
Size
664.7MB
-
MD5
2228749f99e227228cba73c286da66cb
-
SHA1
32d9546d5f0d319999ff438b05543331f1523dd9
-
SHA256
f42b757466fcdecfe579d77ecad12992190dda3a0beea04b975afbd5423176c1
-
SHA512
7047123d41c86ba284e04e11f1ee97268f338a96dc3e593525c69dcedb0139c7c0fd63c1a4920dec5b92461125be53beba465484da58e442d500c860d448fb84
-
SSDEEP
12582912:c/kDG6r1eqQCzzfbzWvgoRmJqW2yh2bpnUGFXcFF1EZBBSfid96wrQViS:4T6ZpzzDz1oR2IdNtXGEcifO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\.bin\ = "bin_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\.bin rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2648 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 296 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 296 AUDIODG.EXE Token: 33 296 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 296 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2648 AcroRd32.exe 2648 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1640 wrote to memory of 3036 1640 cmd.exe 31 PID 1640 wrote to memory of 3036 1640 cmd.exe 31 PID 1640 wrote to memory of 3036 1640 cmd.exe 31 PID 3036 wrote to memory of 2648 3036 rundll32.exe 32 PID 3036 wrote to memory of 2648 3036 rundll32.exe 32 PID 3036 wrote to memory of 2648 3036 rundll32.exe 32 PID 3036 wrote to memory of 2648 3036 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup-2.bin1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup-2.bin2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup-2.bin"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2284
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5acb0ea2ae727cb9bc0b26c89e08e6f25
SHA1e0e197ead988172cbcb8399556018e487cb519d5
SHA2566d178f7221a6bd6dc071701eec565fad1a53ab2035d0f88852b63c42f8344647
SHA51208aa312780011e23b6841c23f95d9239457f5806c4714104d69cf2c5c6a2dd8203aeef38e40ae87eee2d49accd0e120072a94aba9928f3070430a5315e5247b4