bddc96d4319f58401cba5bf9f8b7444d7dc9dec9855ca617925b640eda171dcc

Analysis

max time kernel
295s
max time network
317s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neo/LuminarNeoSetup-2.bin
Size

664.7MB
MD5

2228749f99e227228cba73c286da66cb
SHA1

32d9546d5f0d319999ff438b05543331f1523dd9
SHA256

f42b757466fcdecfe579d77ecad12992190dda3a0beea04b975afbd5423176c1
SHA512

7047123d41c86ba284e04e11f1ee97268f338a96dc3e593525c69dcedb0139c7c0fd63c1a4920dec5b92461125be53beba465484da58e442d500c860d448fb84
SSDEEP

12582912:c/kDG6r1eqQCzzfbzWvgoRmJqW2yh2bpnUGFXcFF1EZBBSfid96wrQViS:4T6ZpzzDz1oR2IdNtXGEcifO

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\.bin\ = "bin_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\.bin	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\bin_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	296	AUDIODG.EXE
Token: 33	296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	296	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2648	AcroRd32.exe
2648	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3036	1640	cmd.exe	31
PID 1640 wrote to memory of 3036	1640	cmd.exe	31
PID 1640 wrote to memory of 3036	1640	cmd.exe	31
PID 3036 wrote to memory of 2648	3036	rundll32.exe	32
PID 3036 wrote to memory of 2648	3036	rundll32.exe	32
PID 3036 wrote to memory of 2648	3036	rundll32.exe	32
PID 3036 wrote to memory of 2648	3036	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup-2.bin
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup-2.bin
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup-2.bin"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2648

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2284

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
acb0ea2ae727cb9bc0b26c89e08e6f25

SHA1
e0e197ead988172cbcb8399556018e487cb519d5

SHA256
6d178f7221a6bd6dc071701eec565fad1a53ab2035d0f88852b63c42f8344647

SHA512
08aa312780011e23b6841c23f95d9239457f5806c4714104d69cf2c5c6a2dd8203aeef38e40ae87eee2d49accd0e120072a94aba9928f3070430a5315e5247b4

Download Submit