183c1ce5ac789cdd12e75554804dc4a1f635eb5f7d239eccd987475afa82aaf6

Resubmissions

28/06/2023, 03:16

230628-dswssahb8y 5

28/06/2023, 03:09

230628-dnmz3sgb74 4

28/06/2023, 03:05

230628-dlk3pshb7s 5

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230621-de
resource tags

arch:x64arch:x86image:win7-20230621-delocale:de-deos:windows7-x64systemwindows
submitted
28/06/2023, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lunar Client v2.15.1.exe
Size

754KB
MD5

ec7ffaaf4aa860d1d0b843b5de15ac59
SHA1

8fa9b0ab0790149cb563d4d27ec8954e9ddb969f
SHA256

183c1ce5ac789cdd12e75554804dc4a1f635eb5f7d239eccd987475afa82aaf6
SHA512

44950aec9adb9e144cbe72ac4c3b652a748193c652d4558a04b3b9c995888869085e8c5d23f8e8030862ab26c744eb482d5affe0747ccf20fb0a9f41f527b736
SSDEEP

12288:5Meeeeeeeeeeeeeeee7eeeeeeeeeeeeeezeeeeeeeeeeeeeeeeee7eeeeeeeeee2:57IF0HL8MaDu173pG1szLSvJwCU4h0/r

Score

4^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
984	Lunar Client v2.15.1.exe
908	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
908	984	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 908	984	Lunar Client v2.15.1.exe	28
PID 984 wrote to memory of 908	984	Lunar Client v2.15.1.exe	28
PID 984 wrote to memory of 908	984	Lunar Client v2.15.1.exe	28
PID 984 wrote to memory of 908	984	Lunar Client v2.15.1.exe	28

C:\Users\Admin\AppData\Local\Temp\Lunar Client v2.15.1.exe
"C:\Users\Admin\AppData\Local\Temp\Lunar Client v2.15.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 476
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiD4B.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsiD4B.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit