183c1ce5ac789cdd12e75554804dc4a1f635eb5f7d239eccd987475afa82aaf6

Analysis

max time kernel
29s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/03/2023, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lunar Client v2.15.1.exe
Size

754KB
MD5

ec7ffaaf4aa860d1d0b843b5de15ac59
SHA1

8fa9b0ab0790149cb563d4d27ec8954e9ddb969f
SHA256

183c1ce5ac789cdd12e75554804dc4a1f635eb5f7d239eccd987475afa82aaf6
SHA512

44950aec9adb9e144cbe72ac4c3b652a748193c652d4558a04b3b9c995888869085e8c5d23f8e8030862ab26c744eb482d5affe0747ccf20fb0a9f41f527b736
SSDEEP

12288:5Meeeeeeeeeeeeeeee7eeeeeeeeeeeeeezeeeeeeeeeeeeeeeeee7eeeeeeeeee2:57IF0HL8MaDu173pG1szLSvJwCU4h0/r

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 12 IoCs

pid	Process
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe
1556	Lunar Client v2.15.1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1556	Lunar Client v2.15.1.exe

C:\Users\Admin\AppData\Local\Temp\Lunar Client v2.15.1.exe
"C:\Users\Admin\AppData\Local\Temp\Lunar Client v2.15.1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe
"C:\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe"
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
13.4MB

MD5
9fabaf4f4d00a5669ce33e26e2ffff53

SHA1
3df5d7b7736828c799168c13b437d3a17b8dfc8a

SHA256
3a555f6a304b10eda0270036ec2ac53ed988985d6591dfde71c1e819fbe71727

SHA512
f7bdba0704a90f7a862e441964ec5458637903d950e617f4ada92fe1d005f41f9f0f3a5b2f957bef5d0cb76f2e7344830e473ebf269079c4af8cec265de031d0

Download Submit
C:\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
2.6MB

MD5
719f6b515b445275b8c85fd772b689ac

SHA1
bff7a4c1e4aa0c9adc874d3097ca47330543f2cb

SHA256
e2f4f22bcd1859e71948fcaa473c15ee2a0b0de13ac77588c7f630f92c92b114

SHA512
3362f3b5e18e974d233aaf64ae53ca23d433f362ff026a0880079b6125d9c94607efa47acd9e05387348fb22d08c247288df754197447557176ccc2c48be3f9c

Download Submit
C:\Users\Admin\AppData\Local\Programs\lunarclient\ffmpeg.dll

Filesize
2.5MB

MD5
52093874ff7f952172621551682c667a

SHA1
f60a169d049d2599abd87764ecd1ea3250293a83

SHA256
5bf2c3abd7d5277898fc72b648adfb5f09c4b7ba9f7f2bf0aac1a93a4d3f59d6

SHA512
a8c646e333bc53ea453a219b259add5f837bdefd86b73182d887ddeb684af76feaad3dcd526536f0c87e90c6de76f23e71cc037599ee19defa21e9b1c2063d9a

Download Submit
C:\Users\Admin\AppData\Local\Programs\lunarclient\icudtl.dat

Filesize
1.9MB

MD5
af02044328074b71963e8c4a7fc54073

SHA1
33a7d4e4c3c47c3d67861fed1c1f5370d41cd953

SHA256
3e9413e2089c0a993222a32e604b239d2cad079f1b18ac76d60ab13986f2525e

SHA512
e222c16b50999a30d8cd505547fa190be5512f7653fba7850bee0de3213c77b88e7062ffc7fa269370352dc7414ce38b0eb41e9774adc6fb8d06c2d7d8b78ea8

Download Submit
C:\Users\Admin\AppData\Local\Programs\lunarclient\v8_context_snapshot.bin

Filesize
161KB

MD5
e47426f88649c7f8e27b8a1516cc0137

SHA1
5452aadfddbc55d6c5c18b801087e39529859b12

SHA256
09686ad5bf03d95de7c251d204e60a8e3824bd6420bedddee80b2c6e5609fb26

SHA512
f9647a35ff273ca622b3db4aefb9aaf75075386c42a31e085f916fc82f3a18fed25b0e05dcc09e678ca419408f59f0c34fa5762e5f945db35f9c6f67b7b94bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\INetC.dll

Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\package.7z

Filesize
60.7MB

MD5
b88ec63cae7c599ebf207c4d5bff9983

SHA1
ff3918e0473c6d68115996f4e6c091e3d14158e3

SHA256
dc0d8aa2c4913846de0718aadae51a7fa5a2da873b6e1ed0fbd163915c2a36e1

SHA512
ade0ca676093e222512394cb28bd85024da6f0e3ad027078d56d2dddcb447c5a92ebfd21db6d8dae5a746cf14464ef567abf470854338626787322ab06e31164

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
36.6MB

MD5
1b4f0a6171264349d2457d815e8db96c

SHA1
14253793c374be72c98b13f146ac91fe5fb860ec

SHA256
538af1b13d9eef5304e37d299008ab63899d1605a186ec2ae0f6efcc884ab388

SHA512
d8a6e2d40bad2a8a414a2907e02e509ff547753652773cb5d743f558aaf703f3ba4bded2dd06e0743399797e626cee8ac09f3ee81be6d7c80cafa963438412e3

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
14.1MB

MD5
721a36816cbf16d97d27b5bf34b336f0

SHA1
8ac2b040aaed6512e28746f7b222e96fbf4fe331

SHA256
4c2e45fc709f83b0162c2fc6bd5543e897f63c563f6884d862795e3daa307c79

SHA512
dd6bacb1cbf01527388df2de8742c26bcb53c8ff70615662c8e0d3622ee2c1048d3fc1f8bcb5d97d76b72bcbf94cc18d50ad66a69fbb8bdd4b75311a4a6acce5

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
14.0MB

MD5
feba9a16b5312372f89cb0c5de7f6a4e

SHA1
514a36b997e955ac900942e6adadfd5bdab67d90

SHA256
45cf59baa1396f0fd6bea104b72cfc3843b8613623891f14aad426c169a9c378

SHA512
3debb0c78f24348f58ae8c203cd138234958988be9ce5d5f24af39455293b526a08593a27f5aab206fd8b13ca1d3d27bed3e1dbd20cf70ba249952ebc444d1c6

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
13.9MB

MD5
93852b5f8cc40fe09b16cfbb3ae5d93b

SHA1
1f139b41ecdc6d7e7f49c118b4b9b3cc0d6b37a0

SHA256
8296a96c5c79832ec05d7f5f4904fc62377d82b79a2fd0fcebf144fbfebc1c61

SHA512
4e08dbf53077e071ce135ca6971d14f6a1c42702544ee77e9c9cb97b392c65e8a8fd78fe24f23d4e5f8753a56d90f7f944460210e302f218369202af997a8b27

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
384KB

MD5
fd33903f0468330d8da73703c2bed0f7

SHA1
f56e3e4eb89891c9efacb793c5c3e9ccba64c919

SHA256
8f5daeafdec2b61b00d20360c3709bdcef8549c1032f0901d2a23fdec313f7a3

SHA512
11fcf8077239a4b9d87aff30f16a3b36b4b85b8173daf01405fc332756f9a72bad9d165b9fa06c31f67972d5194d76bbae259abadceaed2c9f1054d95a9a27b0

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
12.0MB

MD5
0896dfc7f12bb653d3a0f55eb1726c72

SHA1
8278a14149e125116f4284316f2804c3853899e2

SHA256
3168ae1e654137d7ed5dd926d7e50184da8021d3e54ff2b1e8bc417eea60fd49

SHA512
ffdfed6e10512ef6e3bc97a8b51dd9910e1ff51a41465b4130eb4cdb4441a37a607aefba30c31a4dbda50f425527c8e163aaa90a20c88dee5ce52852683308cd

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
12.1MB

MD5
8fb0f3125d09b5e61577d341fcf7b8bf

SHA1
00d23363877a9d550e363a861acf98d765622af6

SHA256
2d3607ab4c5f373751aa73f941b56a647425c35f288648d501dd30a64790f18a

SHA512
523baa92f14afef776aa6b08506279e5a2b390edbceb5888953e5dc9d80cb349ec9ff867cfbdefd0fe2183d53f1209806f3235f49a384dd34eb905e1d4f953df

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\Lunar Client.exe

Filesize
5.8MB

MD5
f42f134a7a89eb771fc483cebbd89096

SHA1
1e191508f6c68a3a4145bd77164d1e072dfcc9ff

SHA256
f813dc77699e5d05cf2c4b1cbd8b0016f61016102286ea8a7ddaffa310c8dc4a

SHA512
5df65274ecd0d2d2cfcf2024d4f905e935dc9980244a7bee4d739227ea744bba1fd62daf4a592d24b19f2427d5370a5ec735351cd799b65b756f8c0f9eef1914

Download Submit
\Users\Admin\AppData\Local\Programs\lunarclient\ffmpeg.dll

Filesize
2.4MB

MD5
bab95911f2d63b38b88f9fafdcd51254

SHA1
1f3fea858cefeaa61c2d0f3f1be386128dfdd8ed

SHA256
95aa0e9a5e646aaf6502c16fe15f988f9de1ab6d9bcb668d134adc6ff4e6a49c

SHA512
dcdde4b3d829054f07ccb25e2cc4f114743e3b3c99ef93ec1345512fa96be6fbe0431db63aa8fe400ec467506b4f59e4fbd09d6692b689cc9958b772cab405f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\INetC.dll

Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd40F8.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1556-293-0x0000000003530000-0x0000000003532000-memory.dmp

Filesize
8KB

Download