hxxp://lunarclient[.]com

Resubmissions

26/06/2023, 19:32

230626-x84ywace3t 1

04/06/2023, 18:04

230604-wn2gksdf41 8

Analysis

max time kernel
42s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://lunarclient.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00c410665a8d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\DOMStorage\lunarclient.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31041637"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lunarclient.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "57122457"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31041637"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2EBF9070-1458-11EE-8852-4EC9D7E6F97A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lunarclient.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f34c0665a8d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "57122457"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31041637"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000288d3b2652f30d4284f7c7f712a419580000000002000000000010660000000100002000000007bdde81215ac3fccdac04fd11362a85ef4a4b34ca2a8087364e96e7b1873a4a000000000e80000000020000200000006edf0ecbd9f3d263c22c4fceaae2481206897db7d4b2f440a8d6070a4b6645ec200000002c597446aab3f3ea910efd7d8bf94fb3728d88d57c64998f1c7acc92e24054a140000000bf42033f82d385bd088f0759897b5cc65dc4cd4e6530d035418da2cf851bb65a79c187ea4ae0cda59b4c0d8f5d1e211b1986d4591cb2a5e2086a395c1d50ad3e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "70557895"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000288d3b2652f30d4284f7c7f712a4195800000000020000000000106600000001000020000000dc9cd788e78740d3f6e6ea4d3b3abce0cbdfe2d8683f64c65e09c66b2c5fecbb000000000e80000000020000200000003fb32f50257fdf69cadb98420567ebf037ec49ee28418d92ebf9a644226601a3200000000787c9ef8ccea9a153e6555a605f691d9864c741296fd6926bbedf29b446cfd4400000009bfd62b0bacf455bfed64a09b526369b5794a8d052765f1a6fd32d44ba435ed4d6c7e46e6b02a01925084b5fca4a90ce0db076a4f4ba25ededc89bc923a8a678	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2788	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2788	iexplore.exe
2788	iexplore.exe
4232	IEXPLORE.EXE
4232	IEXPLORE.EXE
4232	IEXPLORE.EXE
4232	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 4232	2788	iexplore.exe	86
PID 2788 wrote to memory of 4232	2788	iexplore.exe	86
PID 2788 wrote to memory of 4232	2788	iexplore.exe	86

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://lunarclient.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anq17kf\imagestore.dat

Filesize
15KB

MD5
d954519d94ea5c30aee3b055525466c4

SHA1
4885b040ab64127641840e4500c462b734c12ef4

SHA256
529d83d36a03598b3e37454208c2d620c89e57fda414a7d2ee7093b8ec3dac3f

SHA512
7d1573a3fbea38ec7bfd496b02645f0d59345bfdb91e1d15a1b7bec8ecf1e69f0b26a978dfe913cd9343dc3456e534aece8fb39b1e87c145eabfef07f5388073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RBBD6WFK\favicon[1].ico

Filesize
14KB

MD5
6f147deef8659be308f931bea6b1347e

SHA1
e4a86795a8a00aece986b3ac143af2ee5c483ef3

SHA256
db29aefddb58c065fe0b377b30a60f394c0f42bed32fd45a74efbd810cfa9190

SHA512
039298327c4e0ae724d3bce95f0afba8c180f9a505ff026588a3e32bfde90dc4d9c93ef1fe58901b92734e8bdf821162a48d310d3adfe6a5a510e75f590981f0

Download Submit