e20e764738d081f3f9b134dd6224aab6265a15055e45895d5c666f694bbc11e8

Resubmissions

30/01/2023, 22:59

230130-2ywlzaeg4t 9

30/01/2023, 22:57

230130-2xmmnsdb52 9

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2023, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Moon_Loader.exe
Size

3.8MB
MD5

9e940f877a6735dc198f7544593501ce
SHA1

572e13a873f6d309ea1933df8025ca19ba9ec4fc
SHA256

e20e764738d081f3f9b134dd6224aab6265a15055e45895d5c666f694bbc11e8
SHA512

199e70532831177a00ca56ac7ac7823abe73890005c3a8aa03894128116c12fe04701c92df5cd57bb46d944ba50e327a5d07342b62fe3363db5f7315e89e9f63
SSDEEP

98304:QAFEqpT0W2hCCM5zkXfxST8BmI03r8yY0eGXnekCOzAs:QmpT0W2hCd5QXJSTuNSQyfegekDzJ

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Moon_Loader.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Moon_Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Moon_Loader.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3104-132-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp	themida
behavioral2/memory/3104-134-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp	themida
behavioral2/memory/3104-135-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp	themida
behavioral2/memory/3104-136-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp	themida
behavioral2/memory/3104-137-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp	themida
behavioral2/memory/3104-142-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Moon_Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3104	Moon_Loader.exe
3104	Moon_Loader.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4592	sc.exe
3380	sc.exe
4284	sc.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
4364	taskkill.exe
5048	taskkill.exe
4204	taskkill.exe
4664	taskkill.exe
4720	taskkill.exe
3280	taskkill.exe
3316	taskkill.exe
376	taskkill.exe
3812	taskkill.exe
4964	taskkill.exe
228	taskkill.exe
2408	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3104	Moon_Loader.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	4720	taskkill.exe
Token: SeDebugPrivilege	3280	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2088	3104	Moon_Loader.exe	84
PID 3104 wrote to memory of 2088	3104	Moon_Loader.exe	84
PID 2088 wrote to memory of 228	2088	cmd.exe	85
PID 2088 wrote to memory of 228	2088	cmd.exe	85
PID 3104 wrote to memory of 1672	3104	Moon_Loader.exe	86
PID 3104 wrote to memory of 1672	3104	Moon_Loader.exe	86
PID 1672 wrote to memory of 2408	1672	cmd.exe	88
PID 1672 wrote to memory of 2408	1672	cmd.exe	88
PID 3104 wrote to memory of 4356	3104	Moon_Loader.exe	89
PID 3104 wrote to memory of 4356	3104	Moon_Loader.exe	89
PID 4356 wrote to memory of 4720	4356	cmd.exe	90
PID 4356 wrote to memory of 4720	4356	cmd.exe	90
PID 3104 wrote to memory of 4312	3104	Moon_Loader.exe	91
PID 3104 wrote to memory of 4312	3104	Moon_Loader.exe	91
PID 4312 wrote to memory of 4592	4312	cmd.exe	92
PID 4312 wrote to memory of 4592	4312	cmd.exe	92
PID 3104 wrote to memory of 4160	3104	Moon_Loader.exe	93
PID 3104 wrote to memory of 4160	3104	Moon_Loader.exe	93
PID 4160 wrote to memory of 3280	4160	cmd.exe	94
PID 4160 wrote to memory of 3280	4160	cmd.exe	94
PID 3104 wrote to memory of 3140	3104	Moon_Loader.exe	95
PID 3104 wrote to memory of 3140	3104	Moon_Loader.exe	95
PID 3104 wrote to memory of 4784	3104	Moon_Loader.exe	96
PID 3104 wrote to memory of 4784	3104	Moon_Loader.exe	96
PID 4784 wrote to memory of 5104	4784	cmd.exe	97
PID 4784 wrote to memory of 5104	4784	cmd.exe	97
PID 3104 wrote to memory of 3936	3104	Moon_Loader.exe	99
PID 3104 wrote to memory of 3936	3104	Moon_Loader.exe	99
PID 3936 wrote to memory of 3316	3936	cmd.exe	101
PID 3936 wrote to memory of 3316	3936	cmd.exe	101
PID 3104 wrote to memory of 2968	3104	Moon_Loader.exe	102
PID 3104 wrote to memory of 2968	3104	Moon_Loader.exe	102
PID 2968 wrote to memory of 4204	2968	cmd.exe	103
PID 2968 wrote to memory of 4204	2968	cmd.exe	103
PID 3104 wrote to memory of 740	3104	Moon_Loader.exe	104
PID 3104 wrote to memory of 740	3104	Moon_Loader.exe	104
PID 740 wrote to memory of 4664	740	cmd.exe	105
PID 740 wrote to memory of 4664	740	cmd.exe	105
PID 3104 wrote to memory of 8	3104	Moon_Loader.exe	106
PID 3104 wrote to memory of 8	3104	Moon_Loader.exe	106
PID 8 wrote to memory of 3380	8	cmd.exe	107
PID 8 wrote to memory of 3380	8	cmd.exe	107
PID 3104 wrote to memory of 3384	3104	Moon_Loader.exe	108
PID 3104 wrote to memory of 3384	3104	Moon_Loader.exe	108
PID 3384 wrote to memory of 376	3384	cmd.exe	109
PID 3384 wrote to memory of 376	3384	cmd.exe	109
PID 3104 wrote to memory of 1340	3104	Moon_Loader.exe	110
PID 3104 wrote to memory of 1340	3104	Moon_Loader.exe	110
PID 3104 wrote to memory of 2744	3104	Moon_Loader.exe	111
PID 3104 wrote to memory of 2744	3104	Moon_Loader.exe	111
PID 2744 wrote to memory of 3812	2744	cmd.exe	112
PID 2744 wrote to memory of 3812	2744	cmd.exe	112
PID 3104 wrote to memory of 4828	3104	Moon_Loader.exe	113
PID 3104 wrote to memory of 4828	3104	Moon_Loader.exe	113
PID 4828 wrote to memory of 4964	4828	cmd.exe	114
PID 4828 wrote to memory of 4964	4828	cmd.exe	114
PID 3104 wrote to memory of 680	3104	Moon_Loader.exe	115
PID 3104 wrote to memory of 680	3104	Moon_Loader.exe	115
PID 680 wrote to memory of 4364	680	cmd.exe	116
PID 680 wrote to memory of 4364	680	cmd.exe	116
PID 3104 wrote to memory of 4500	3104	Moon_Loader.exe	117
PID 3104 wrote to memory of 4500	3104	Moon_Loader.exe	117
PID 4500 wrote to memory of 4284	4500	cmd.exe	118
PID 4500 wrote to memory of 4284	4500	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\Moon_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Moon_Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\Moon_Loader.exe MD5 >> C:\ProgramData\hash.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\certutil.exe
    certutil -hashfile C:\Users\Admin\AppData\Local\Temp\Moon_Loader.exe MD5
    3⤵
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:5032
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hash.txt

Filesize
151B

MD5
40e652f7d2bcd7298965ba16480a4285

SHA1
78ccdee61554b50dd46182ef3476b89a53de4b67

SHA256
4f16068df66d23bbbdf0da07b874486c73336096f55968cdbcf827452f979188

SHA512
653d099d9613b5008d044dec3f2d9ee979651040c121147d89b308f26b94fb7de06c1eafe93650d053f0c9f8cb7c4f95ec2db9ac0d77d3c9347c69901ab0c372

Download Submit
memory/3104-143-0x00007FF871450000-0x00007FF871645000-memory.dmp

Filesize
2.0MB

Download
memory/3104-132-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp

Filesize
10.1MB

Download
memory/3104-135-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp

Filesize
10.1MB

Download
memory/3104-136-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp

Filesize
10.1MB

Download
memory/3104-133-0x00007FF871450000-0x00007FF871645000-memory.dmp

Filesize
2.0MB

Download
memory/3104-137-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp

Filesize
10.1MB

Download
memory/3104-134-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp

Filesize
10.1MB

Download
memory/3104-142-0x00007FF62EE90000-0x00007FF62F8B2000-memory.dmp

Filesize
10.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads