hxxp://api[.]lunamedia[.]io

Analysis

max time kernel
60s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2023, 07:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://api.lunamedia.io

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2456	4104	WerFault.exe	91

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133298279578154432"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4396	3364	chrome.exe	84
PID 3364 wrote to memory of 4396	3364	chrome.exe	84
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 4024	3364	chrome.exe	85
PID 3364 wrote to memory of 2196	3364	chrome.exe	86
PID 3364 wrote to memory of 2196	3364	chrome.exe	86
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87
PID 3364 wrote to memory of 4748	3364	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://api.lunamedia.io
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd44349758,0x7ffd44349768,0x7ffd44349778
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:2
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5032 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 --field-trial-handle=1840,i,8886058815037093826,12301695127379258416,131072 /prefetch:8
  2⤵
  PID:4300

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 4104 -ip 4104
1⤵
PID:4584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4104 -s 1772
1⤵
- Program crash
PID:2456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
cf289e735c49dc770d6f40981cd2700d

SHA1
bf59e1903f650e7281f3ed0526897ab51b25d0d8

SHA256
8807360019da9897b9bff776acf0800975557a4de0eb5251f71745a35e7a45e1

SHA512
c597c2427f1b2e4d21f71d090185d62ff770490aa20f2de74dc25b8ad0b1f5f0f0cc916404db851168d721e8ae6fad0fa821f689aafa720d05292ff0f765fa11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7232d150d1834ac55c0521ed044a861d

SHA1
4b26a88cd88b1e6a5712cd32799589b051b67b12

SHA256
1a94001d4e8f7fc627a3c7f8774f380d3abc3a88d43047d8b820b3c963562165

SHA512
53f46dd94b035417f7c3bf27e2cfe57a02011378fca4b7dc0460bebb776c43538b5cf34bbc2382894df676d5560fe02aac417c309d620fee994bd9c01ab9c426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d750ee1b3e033957aa15414cdde9c2e6

SHA1
1cbcf824abbe61e04c08026e1dd4398519b4b854

SHA256
54131ff22ac8fb249400db74ba360f754f6bc6391d2283bba5f7de921e483e0f

SHA512
446636ca3885f423f458952e02c211eaaec6c944b5adb5f358be09c44f2a8f2d3eaa324181f79d09650fc4a3428f82ea6d435a6e39b9452ecc1a16c092b5a50d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8d930d8cdb9c18d4f1b2b376e4147691

SHA1
37dd389a1d8c8dc3d8f5d79e836ce4b38cec37b7

SHA256
52d9f1bc74e4edc0ad666bc4fe29be6cfce5792b84be2b4ef79bec47338ef607

SHA512
d55430be7d691736057d246df5d2ca310b904d584051d960afdcbb7b728573ff0fd4a3c7e211515e6d35adced34e9bfe11fdafd6b458705ebc150b725d7b38c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d915de8bc91c6435ad899778daf1c691

SHA1
8da9e2c0fbd36e8ee15eeced52f5a7f2996dc86a

SHA256
58f901c811805e0a55c25cc45c303ca89a6c5481faf6a131666e364166c5b274

SHA512
3127aa3d0100d90f64942774d833d6d1ff25b8c2c0279526bb9164d64b3a5f25ffad83e2ebe485e9b62d2cbdd1f21a87d4d488813d11445ed23443a4b50af005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
dee9dc8506e40e3d382c62930c694d7a

SHA1
bd3a80c837588fd884b5836e04d856d299f170cd

SHA256
deed9dbdc2206fac856bd29113acddf580e52977fe7e0165571c87011b48de66

SHA512
a522cb3b1d83441af6df70b64c2e370158f1de55ca573cc1a19580b3e4485b40efd08c319d0c4d19137dba09350c8f72c55cdb647ff116b995ae096bab7dbd4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
86a155b822d769236a8d8e881e339331

SHA1
a30ab5a077e888ddd3a0057eca04fd8ea8224a26

SHA256
680814f987f8e43ffa14689383bda0dcf144bdd69d3647bd753b6dd3a90f7151

SHA512
bc36237396691f9ea5c07a7159b142531a24b73262f0512df48ec8bf1d39cdd8dcc99df7ed17529132e9447bf9c58c38dcf3948b80f32d28565fee4ae7c48d64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit