a75e4f711403d68bb7c41f5117864340d86b29650c5db42b58438bdc37f8c289

Resubmissions

11/02/2023, 18:10

230211-wscc9aed57 8

11/02/2023, 18:06

230211-wp5kmaec83 6

Analysis

max time kernel
327s
max time network
335s
platform
windows7_x64
resource
win7-20221111-es
resource tags

arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
submitted
11/02/2023, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lunar Cracked 2.0/2.0/Lunar Cracked 2.0 JCrick.exe
Size

155KB
MD5

a47d2d310133c49379968408966623f9
SHA1

1023eb2a64197189f8e3d0c425ef33d8b275f189
SHA256

28a56c6f5e69db9da87e986c263f267294ca2ea6da7612ff688094925440e561
SHA512

5a5f54e8d161a8567826822222d7af99023bcfc10c7688236ef0f80f1df6f473d14a89f663df7a504dbaa6d252fb956326584105836979ead2a7a97680b6bbd9
SSDEEP

3072:YahKyd2n31/5GWp1icKAArDZz4N9GhbkrNEk13NT:YahOXp0yN90QEe

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Lunar Cracked 2.0 JCrick.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Lunar Cracked 2.0 JCrick.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1092	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1092	1244	Lunar Cracked 2.0 JCrick.exe	28
PID 1244 wrote to memory of 1092	1244	Lunar Cracked 2.0 JCrick.exe	28
PID 1244 wrote to memory of 1092	1244	Lunar Cracked 2.0 JCrick.exe	28

C:\Users\Admin\AppData\Local\Temp\Lunar Cracked 2.0\2.0\Lunar Cracked 2.0 JCrick.exe
"C:\Users\Admin\AppData\Local\Temp\Lunar Cracked 2.0\2.0\Lunar Cracked 2.0 JCrick.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File launcher.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\launcher.ps1

Filesize
2KB

MD5
34971e3999e85fc1e4ac673815febf05

SHA1
4041d1e879cd8cc7c686cb7218df8341c5a6a6ab

SHA256
15bacbb40d3e20de76c1e0062ebd167ef39a65eb476a38ae7da7d2df8880d562

SHA512
04c4e8eac629209785e115fcc78a8c99a7e65ef49f47044ff8929ad5c5584108fd6a4b8a12c4c37645f4566ecee8133a03153302aeab68aa9d1e917275190cd0

Download Submit
memory/1092-57-0x000007FEF30D0000-0x000007FEF3AF3000-memory.dmp

Filesize
10.1MB

Download
memory/1092-58-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1092-59-0x000007FEEE320000-0x000007FEEEE7D000-memory.dmp

Filesize
11.4MB

Download
memory/1092-60-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1092-62-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1092-63-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1092-64-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1092-65-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1244-54-0x000007FEFB551000-0x000007FEFB553000-memory.dmp

Filesize
8KB

Download