bddc96d4319f58401cba5bf9f8b7444d7dc9dec9855ca617925b640eda171dcc

Analysis

max time kernel
292s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neo/LuminarNeoSetup.exe
Size

1.9MB
MD5

16803ffeb374f528e51ea55adbf9af7a
SHA1

ec65f1c4c3337caae83e654982398d9161441ae2
SHA256

044d976df8c968c8c88d58035ec8dcde723c556e0c30753e62b10f278319e063
SHA512

1d0fa9c8d9af7f6ec0e1eccf47d24b9118a27d28c47918a581ac3d12b3b587be4155fd6eda1ed5fb27c9fca8b4302b1598639a8a190fd578ab66d67f0bddb448
SSDEEP

24576:E4nXu/QSDTV+Bnvu8t7blM0ThB23vJtJjRFYlVKIqAzdGBoXKkmaGA8KoH:EqeNVijh83R1Ferzdh+Z7KoH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1196	LuminarNeoSetup.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_bgr_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_info_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Private.CoreLib.ni.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\UIAutomationClientSideProviders.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Configuration.ConfigurationManager.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\mi.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\CORE_RL_heif_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\tbbmalloc_proxy.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\libGLESv2.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\api-ms-win-core-rtlsupport-l1-1-0.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\Common.Erase.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.IO.UnmanagedMemoryStream.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\vk_swiftshader.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\sos.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\MiplWrapper.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\mscordbi.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\opencv_imgcodecs470.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\zlib1.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Security.Claims.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Net.Http.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\CORE_RL_MagickCore_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Net.HttpListener.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\Common.Luminosity.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Security.Cryptography.ProtectedData.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\LuminarAI.EducationCenter.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\api-ms-win-core-datetime-l1-1-0.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_mono_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\CORE_RL_jpeg-turbo_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_pnm_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\mscordaccore_amd64_amd64_6.0.2623.60508.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Xml.XPath.XDocument.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\api-ms-win-crt-conio-l1-1-0.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_jxl_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Xml.Serialization.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Xml.XDocument.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\blas_win64_MT.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\CORE_RL_lzma_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\Luminar.WebView.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\Luminar.Filters.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_vid_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\opencv_ximgproc470.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Security.Cryptography.Csp.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\gtest_main.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.IO.FileSystem.AccessControl.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\X11.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_dps_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_debug_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Threading.Overlapped.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_vips_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\Luminar Neo.exe	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\Microsoft.WindowsAPICodePack.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_clip_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_fl32_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_xcf_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\PresentationFramework.Classic.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Reflection.Metadata.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\VC_redist.x64.exe	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\Common.Notifications.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\CORE_RL_jpeg-xl_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Web.HttpUtility.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_clipboard_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\IM_MOD_RL_tga_.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\api-ms-win-core-synch-l1-1-0.dll	LuminarNeoSetup.tmp
File opened for modification	C:\Program Files\Skylum\Luminar Neo\System.Text.Encoding.CodePages.dll	LuminarNeoSetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1196	LuminarNeoSetup.tmp
1196	LuminarNeoSetup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1196	LuminarNeoSetup.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 1196	736	LuminarNeoSetup.exe	84
PID 736 wrote to memory of 1196	736	LuminarNeoSetup.exe	84
PID 736 wrote to memory of 1196	736	LuminarNeoSetup.exe	84

C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\is-73JDD.tmp\LuminarNeoSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-73JDD.tmp\LuminarNeoSetup.tmp" /SL5="$80054,920064,0,C:\Users\Admin\AppData\Local\Temp\Neo\LuminarNeoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-73JDD.tmp\LuminarNeoSetup.tmp

Filesize
2.6MB

MD5
771671db95bedca4a7767e0fe053ddba

SHA1
a843acfbbe8399608f531b490cddcc57019b9a3a

SHA256
b3ae8aeacf2bbd4ba09cc4b1c3c7cbec99550e2082aeb8848765b65c04d61b1f

SHA512
c0b8fad993ce158bcc5a0f0b8f923d889162e087d296b679d5a5e07e8d7e2897de302c7cf3080368eff48e825dfc1c01b8490d52a5c7ef4626134bc90a9b612f

Download Submit
memory/736-0-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/736-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/736-8-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1196-6-0x0000000000400000-0x00000000006A4000-memory.dmp

Filesize
2.6MB

Download
memory/1196-9-0x0000000000400000-0x00000000006A4000-memory.dmp

Filesize
2.6MB

Download
memory/1196-36-0x0000000000400000-0x00000000006A4000-memory.dmp

Filesize
2.6MB

Download
memory/1196-38-0x0000000000400000-0x00000000006A4000-memory.dmp

Filesize
2.6MB

Download