Analysis
-
max time kernel
1544s -
max time network
1602s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
-
submitted
17/02/2024, 06:40
General
-
Target
Luna-Grabber-1.5.5-alpha/luna.py
-
Size
51KB
-
MD5
951fec5c3c0cda1bee7f6a9250a5aac0
-
SHA1
5f560277ae47188a609c35bf9ca7d9577fbc727e
-
SHA256
89d19888f1a1e821cd40bc32ffe20dd28204c11ef6cca74cd82014786a15cab6
-
SHA512
5d079b4874d0576e503c80fb2238c807c9d5cc11ce61897c93e86aea8df6390b1d42cb654e4529c8b03209aa25f766703c8accc252a0e48d42408b9b0a2bcbae
-
SSDEEP
768:mNEv8SqFEIxK4R464G87yU/X4C+VJyj/sGDT8D79Rz1txlc:mGv8SwKQG0Jyj/xDT8D7Ntxlc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 13 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 62 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-1.5.5-alpha\luna.py1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-1.5.5-alpha\luna.py2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.0.1127084219\407899110" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1720 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {184b7c86-4b46-47a7-9b6a-b09083c47dc2} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 1808 1d2187f9a58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.1.1336777442\1638361546" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {400adcbb-b34d-4346-bef0-c28619aa7bfd} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 2164 1d218703558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.2.623694996\821281154" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2720 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e27e2e6-b5b3-4085-8b41-5c47568c8a72} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 2716 1d21ca9b758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.3.2074976890\573751682" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3468 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71adbbae-90a0-4ae7-805b-6b3afc29fdd9} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 3484 1d20d75ef58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.4.246746199\83787747" -childID 3 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cd6072b-e14f-4b47-976d-b402937889c5} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 3880 1d2187c8858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.5.558249882\1246567942" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4848 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8d3e80c-3995-4bb7-b4d8-1f63c5a1c23e} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 4864 1d21ecf8b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.7.460173525\833129610" -childID 6 -isForBrowser -prefsHandle 4988 -prefMapHandle 4992 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b519b799-d41d-4b89-ac7f-ff4ab5e8ae96} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5084 1d21f055b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.6.1618713686\835085174" -childID 5 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db670bff-1f6a-40ef-ad20-0cbda8731122} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 4880 1d21f055258 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD574a524c73594fba7bf53e79f42892851
SHA1fbd2b195dc101bacb4605fe44ce33b69d1c065b1
SHA256cb34bb48fa4b278a291fe7ecd7495a206d5f7d81b794aae31b8db880fb9e3444
SHA51263fea656edec3a8fb51714434fd83f8458787bb9f98af1bb46521109df83639a4ec90a5df18b5a9897025028afab231de7613c7ae432505e8ce8d6571dacc193
-
Filesize
13KB
MD5474065b78b9ce28d13dc196208cf38f4
SHA13631a8328f106f25b93e8b97a4cce22b34bf93af
SHA256f76f639d592ce7c47231933515da0e5796e39c5c6907d07db3334fccac1fc4b3
SHA512d4b7e5c6884e285cafcd78fb62e452e047bf3070dff5202699c126d0cca02d8e60553a58f4f6ac14ce04cc7ed3ef6e5d522cd87f201e463fa462043fa9c506e9
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
1.1MB
MD5e253cbda16f05dd63324992ad592ee4a
SHA112d7579663157c3fa83a8b60fb9ba3afd2b5a3b1
SHA256e91265e989a5916265037da39d2ffb3fbcdae888c9c74dc6601294d6073fe98f
SHA51285fe3f00ab84a1345a377e5d1e43031dc7ffc84a0ed05b38ee35a39ebfc4db7552183dbf2ace0509495c7eafb383185848c18a56df8b217d856c7ce50c596501
-
Filesize
5KB
MD566445f95cbfa64cbd5e569b903e70aad
SHA19f1a54c69c91daafb8859fa134d0f018817118e3
SHA256ce159f37ee179da912a2398bfe8be6566cb3607c6e5e6e985ec9f002a9939a2d
SHA5129e315e6e09ae29e1bc7d69f75b41bb57934dc44d0d7110e6075c791cbd6cfa6a8f105dcb017af5ffb7fdc77eb7b4f240fa438e399fedb986768feeafafcff51f
-
Filesize
5KB
MD58e3b862582bf98953dabba277d802b5c
SHA11a92a4120f35debf05886100760c8beb789246b1
SHA256ce3076f8b3f8701e3753c5057df40273b2f0a89fbab17380e183354d5fb12070
SHA512eaa324d01d729e754b2df95385d4a45d1b7eebb8090d814306f9f736b96b99ff4476095675c4fb270099690adcfc022e2fb5c0fb2f60aa9a184c010aeaaeed5d
-
Filesize
951B
MD594c7e9134b54dfabc7791cccd3b1c372
SHA18f6e597efa88ff69ef1ed8f3da9e41c3e62cc448
SHA2561a271ab7ea78f01a26519ebeb2ed9178131cf3d84523b2414a17d626588770db
SHA5120c8b989997e513b9471442c04a1d65497bf502a2b6a959ca87bf4b8ab87966ae1a68faf9bfb7d04adc9299b4b1fac4f6cc21f2b00de793adcb2b557d6c53aad3
-
Filesize
216B
MD5bfa7762ddea56217bd7b1a971de32977
SHA1da24972ae720b2af85ba63f65cb1c727864a5b04
SHA2568c29081c48f72689be172d397d64b57d844afb799cc5f3ca219df250bfa7d827
SHA512ab851ae40070c030523dec59593b6ac7226f99656649a86541dd4358c35a0bce28f218efd98e8afa7502ead1b110210c514612b6d9f2b894c14c06be95cc7987
-
Filesize
746B
MD50f3aee7068542dc6d6790ed110be92f4
SHA1acf1820ef3dcdb6a9d0dd7c7956eaf3eeff9455e
SHA2568e11f663f4426f27efb3a5ebcc598f54ed1f0ea6249fb149312c6e989116d519
SHA51276ff51b09cac998726f18a3220841c70ecf09b66e5f4d52d2a7aa62aed6accb333c108ee766d898a41fbe7cbc7f2c687f246820ba04740c342e24e7d4f9f6704
-
Filesize
10KB
MD596ba291c7375df481025c9d64f1b011a
SHA12a36df24646edc09b0c6c4981cb066427267ed74
SHA25673d072fc2211c166bee1048b234ef72e32f4f776b89850438a12d04bff56caa6
SHA5127311eac7bfec691518adaf1032f19606bb012bfab50c1449e3fa56d53fbb4c4a077b52c89ff6ba1bbe6716bb8ecb66303984d700c9e15e5e42add50850506f94
-
Filesize
34KB
MD535e833f1ba43911c851ef4460b5c9f21
SHA1542af79dcecd63058320dcf60fa687cd858570be
SHA256ffb5abbad70b46db5982d8c83cd9afe089bd71ccae3f290063b8e72167990377
SHA5124ced56fac6db283b90eb1a57a00a5e969e3a0c69b446ff4a82a49c28acbd1a6d7211c91ad856688f93a4ff95792dd5c515ee2da9040975f0fcaed88e7da7ed33
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
448KB
MD554a2ab0bf0d9c2fc64163cec56e46a4d
SHA1f559fe853d3b58d9f04e083e8651ed012f586aa6
SHA2566b89730ff8c0e321af0aa13bf6007ec08470f08b911b5f233c63c28de0368fee
SHA5124d81a0ee50c1933986bdf41d564a88b4d50012dad07d1cd2c4cb31953ce50bd6e06a64218a6688b5c8034473046a8e8f1c348e02a12fb1a1d8ee06285ed98916
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
9KB
MD560c5e502e04bab1594157ee9d66ae188
SHA1f4347696e8b7961e51f39966c4bd3982b4cd9dec
SHA256db1e6b1128e03778b0add132295ea69b2a3a966dac677a4612b3dd48708078c1
SHA51216292698357c4397926528613ac48d65b74dcc02d2e1c7280a91da68765c66e77a9db522be538ee81e706be87ace2c2a6287fe99a131974ee268d8b556885f49
-
Filesize
10KB
MD5e2c2a63f7a4efe24cc68682e3db733e7
SHA13a270246797954ec3a3938f86482aa517d435a14
SHA256c6868356c99d2355b5205d3fbd57bfa241e1f2bba66e57151731b04c9db9add7
SHA512d1cf782d2158e80e574f845b999bc8d21ffd4fef425bd6e7e425f46856677cef5146511e46bcd19357903f6114849e895d4ac89095989d06d86e22f372699092
-
Filesize
9KB
MD537fc2711ca4b8fccc519c3b3931b5c72
SHA106d690ab372a547ccc9b67417aecca39a7c95bc7
SHA25624b82cca4cdfb0921f69bbce1ebf56259da8980c5d1f12f4754668591904680c
SHA512e34ad5f6b4ba751266ac35f46d7a475c729d63a2c0ad44b34081ca143598fc4357da915306e8f7fe52d39d364ae4467fd537f1651b6b024fe1dd9e173812f75d
-
Filesize
8KB
MD51877a886d7e6c2f2f09cc45124df04d4
SHA18b284e9632bbf1a0e4e2d6f0600b235c556662b7
SHA256ae5c878ad2ff4adefd142c569d14a2726d85e2965ef185560a99bf4986c20f9f
SHA5120b22c8c8b5d3514088ac784c7ba6d0869ea16ef37a10fa5005d2d008fa6d3e95ba20ee2d1033c4412bebb6bf3af1d3a4723f36de412a9c6310f14e6bda6eeac4
-
Filesize
6KB
MD581642b608402d4ba20ef24f50e9e807f
SHA1d05ec69d36f46c66aa0b40e891d73cf74d4bf4a5
SHA256b7b3d35792fa11a555c35e5313fbae3837181baf4407b44939dcf5f2529466fc
SHA51214edf40888f2665073e3819159eba64414e73c13f91dc724cb4e00fc8b8944ebba23e889aa02b7da2caa99ad8176516290b632286d691227c2cc55afc72867f0
-
Filesize
90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
Filesize
1KB
MD5d781dc71bcdbffe5757321e581b5238a
SHA17bf63774db863c8ebfc14bf69fd9b3e7fbd390b2
SHA2564437053869ddf857a1e7bd21e36b0d02b02c9fbae45a1fce8860bf95738f5308
SHA5120a80111dc1013b89c7f1085db52ab31cef134cdf8cf066d97a02231bd913bef6ca0738f1681cdb90953038a187ea3acd91f5c3332ae90e48ed292fd899ccdbe0
-
Filesize
2.5MB
MD5b4f166d464f5ab928a61ed9d459f49f5
SHA16cbe3afa37bc58138df446bbdf14c9705707a4f1
SHA256470e2f987f82376b447f7cb1a674bc2c32a0a494f6fe4dc9043af16727be2e64
SHA51215b3e311bac26e8cb93570799e36ab8b62286e241951da6390b61a4ed0be9e3fbc230d0a51f6de95acc1c80ea31b01849867fb07d56187e57ad7155d591febfd
-
Filesize
3KB
MD5f1ae1c8d05ff8b56f91ba10091f3226d
SHA1199d3ad234108f7d27c22aca1f928303e8124ce9
SHA2567c3abaa13cfe858b049a9c0238c5ca1442c5c3e56017a1443680a7f66614d8f1
SHA5127e33f77c57576aaebfae311b3db0439ce3d304c8941c979240cf9ca9b9fc75d337a16214e688ef56c0278fd45342f9aaf37ed492adc59ea65e9d6544b0fb9b54