Overview

overview

5

Static

static

3

Lunar Clie....3.exe

windows7-x64

4

Lunar Clie....3.exe

windows10-2004-x64

5

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...co.ico

windows7-x64

3

$PLUGINSDI...co.ico

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...nt.exe

windows7-x64

4

$R0/Uninst...nt.exe

windows10-2004-x64

5

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

uninstallerIcon.ico

windows7-x64

3

uninstallerIcon.ico

windows10-2004-x64

3

Analysis

  • max time kernel
    136s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2024, 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $R0/Uninstall Lunar Client.exe

  • Size

    404KB

  • MD5

    227c1f9fe7c7f6fb24a451a5ca84e722

  • SHA1

    9c34be548c0b2affd930d05c1b315a5cbe9bca45

  • SHA256

    bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a

  • SHA512

    1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66

  • SSDEEP

    3072:Wn77v00hEoDEtauTsqBGeQIfxqxAjDsksbfVl1snhl+l2L0Sa9/l7a4vZAzLmDVH:W740IEa+J+Rql1DKs2t0EyL+ya2

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe
    "C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Lunar Client.exe" | %SYSTEMROOT%\System32\find.exe "Lunar Client.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Lunar Client.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
        • C:\Windows\SysWOW64\find.exe
          C:\Windows\System32\find.exe "Lunar Client.exe"
          4⤵
            PID:1664
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://lunarclient.com/uninstaller/?installId=unknown
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2288 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      6c92bda7fc3f7f8b4a255417cf24c756

      SHA1

      90db126a4b1d68e531aaa377b4be7269c6a49ecd

      SHA256

      5c4c1736d13a5248887050f64c13d522b0662d5484ea57fe592754e505435e58

      SHA512

      b947814f91a84a7174de4bc8d056cdf6c5d9499bda3465db98f7182f44ebb5b4cbf06e575ca02f05430f509ee24c82b43fec3af551d263d62172ddb6b8606462

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c91210e0ef2ebb88bf6f4c0ad0f611c6

      SHA1

      8c5bc86f4fd8ff1e9957bd290b384a4eaf8d6cd6

      SHA256

      4731d0e21f4b7ff61cc308462e04b239bd28c703a535c94d0a844cb152f7ef5a

      SHA512

      04fa4346fe96e6eae15ea694384fe382fbf213bf343b3bb8afa8550c7b44f5267fe763d71530aee900e50745fca3280eac0fea7812add9e805271cb6df374d47

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      0924648e0798c8509cc6daa938e95c7c

      SHA1

      43856774f941f468e6fedf91df1387dbe39a7910

      SHA256

      70768d2f9182798c3362b35bf37f02602b8a18a0407b71885810dd1c1acca836

      SHA512

      12e45a1f02209020fcd5e5927c95d1e906a6b7946100e03827d43663c4c1c88f8e2f638da035a7e9a4e11e91a72cc45aae8bd0909ccf9c936fd8687cab44c7de

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      0048dee95b27b2c1883046a1c5544a97

      SHA1

      d1f54195a5ca380b082185a0471aca6ab07290df

      SHA256

      db3b05a2f2e0a1811b369ff3703191a43336d81676c582bd3178b7a068740653

      SHA512

      146dbfc907efeb2c447ef3996e50f3d6d260d89a618c0daa8ae0fe821e87c9cdd6fe24e068bf72c30ab02b25ff2ce2c56ca8465bddbb90e11dd74cd06bde5776

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9c11a610d288a9dc138f6f170d36e0ed

      SHA1

      fdaa19d06234b8e2780edeb4bc522784bea398ec

      SHA256

      6cfd7ac762cf40e0b56603a2428777e28af4e9e880def3a9f33e12ea6575fa2d

      SHA512

      15fa84fda1eeb8324b3a48da46f921afffa3e88ff4b21e949586faa28c16ebd7f410e6bfc0bd056027caec3a8b1e9bbccadf02020efae444072da78251293002

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      701194a36429699813aa171e3e3232ed

      SHA1

      a90380c1dbc2619f474e362238b1da5a6b413d66

      SHA256

      0adfaaca99249fae0c662112e8244c4b8ca75e61e31ae97602d0be39c924b541

      SHA512

      1fc6eee77cc66e5cae4cea2c447933f203716fc9fd7b8eb28594e31858af9d3f6da7a0272e14cd441357b6c31234bef09f4f9c29cbf9fdf1cee5932ed68c40b5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      948a03eec39fadcaf8d579950bc3ab48

      SHA1

      3d9b9f7cbdb4ef21c68e746c2d7712f2abd35854

      SHA256

      a58b881574dfcb09a15aa76818de89d8ddb34ec2d2d14b212313882fde562baf

      SHA512

      01a91b8690fcd76defe29c80e9314f256337d20f4171179af02ddf69e5a349b2be5bcf5fa74ab86fa3b4b076397c338d9a283b53b9495d6dbd3e050de273f985

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c936dd622e35e90f9ffce4038f234ad6

      SHA1

      167bfa608baf20ecbc882de114b8ecdea1b67c34

      SHA256

      c8051e0ba4cf8c7792f8796430019666b19e7872dbaaf8a46a95f02db5b7b297

      SHA512

      5dcea701d06523e05f04a2aa83b65130f514072b72313cfa1a45ef7439b179e541723335c54c404f99f9a0227c8f8e5acca3c6219eba6922867c0f596a41e2ea

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      edd812167a770ed395d0ae03fccc4a85

      SHA1

      a81336e210249ba3f74ee09f29c4d21b80648ba0

      SHA256

      643f1d8e801194e566bb7bd524d87ec3040d5f1473768dde62bd0d7d7a90c86e

      SHA512

      a9829b460c8eed172e3cfad9bf56ede18a0b05028361d2b3df79e1ae99deb657300fb99584c88edd33591ae3c5a08d911955911ee58b0bf7ec6bf9efcd5d229f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e781db3a6a1afe0fe5f32e32e0260fc2

      SHA1

      33439cde8037b9ab80d7c50d1f4409a1b26aa506

      SHA256

      73c113cb2556de7cc79f7f1209fab916334e0f26112348e5f70a3efdce848c77

      SHA512

      e9b832daff13746b509a2b3a4bdf4513ca5de61afe9b55ef83072c40c84cb442aceb7623c0dbd6927a5746fcd8229dbb8dbba5163da25ec645e5ae308b1603d2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2b7ddec05484dee190d5f0f47a978bee

      SHA1

      935ff3d0dc22fa301c06489bf322584b35bd4b07

      SHA256

      9cefa86c03073b063a6c3c75fd18054c61b6a1684925ba2dbe007f41f50986c6

      SHA512

      49dbc76984b70154ab6c8382a30547466efc14f6affa401b324f4f887c0f40037e363f6967fad2ac4b88b10a95da457cb635ac46e3c346d906c5b3a5da00ffed

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      01486e020c33b1942027b3aaad851ca9

      SHA1

      730641300662c4dbf743b457aaad96ed719b073c

      SHA256

      b63f1aed0dbe3c48dea0d9f684b788e7b7b4686006cfc9a288e06256c3cbc77e

      SHA512

      e79c7a5452d7149ca450a8f10f1d193dc949b8bcd36a502032f2e225f83380d38bf38538742dddb86df33dac1accdbbb638af3a143f23a01f22a09093a32ff55

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      951c188a4e75137fd5361f65130843e5

      SHA1

      bcf3f02c9aec44632c7ead8715666db1b6d8a5d2

      SHA256

      0c328cb997aaa302557f700ab24851064146374deaf11de990a8bbb92997768d

      SHA512

      b2095660ea4e8850280d9a5a4b683c5bc928744ffd0011d05a29c17c2c567db98857bdd0e73c91db5bba591eab6c354547f95a24c1147bdba04d6ae26531eccc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b4083cd18fbda37e24e063df5a7d5272

      SHA1

      381aca10505912b136cc77bdb16cb850839a6672

      SHA256

      3f614bcbd8425396a33871755aeb6818025e118e95a388d13ef8893408503d7a

      SHA512

      f1f35cef45f6c8afbd92f6b7cc0ac6530442266d2ee57c303add1373f3bc9731b58aa83b2a23db55e00345ff96b28c845109ed0a3b50b73295364ef704713707

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      99edd9c4a5674caadd2066c20902b85c

      SHA1

      5f0ff110ebdf7104139c7dbc3f71f20507d9b223

      SHA256

      3faaef00f9420dedc98b8fc4387d2338062948bf93fc283912d40019c598337a

      SHA512

      d0654ab6cf5302e62965302b581129c083bdadfa825fdca5609a7163a40801ac65ccefc23b473c72245052eef8dd56ba2d57427083a00400a874df80c68a29c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab29B1.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar2A6F.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsdA4E.tmp\StdUtils.dll
      Filesize

      100KB

      MD5

      c6a6e03f77c313b267498515488c5740

      SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

      SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

      SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsdA4E.tmp\System.dll
      Filesize

      12KB

      MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

      SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

      SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

      SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsdA4E.tmp\WinShell.dll
      Filesize

      3KB

      MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

      SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

      SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

      SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsdA4E.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      ec0504e6b8a11d5aad43b296beeb84b2

      SHA1

      91b5ce085130c8c7194d66b2439ec9e1c206497c

      SHA256

      5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

      SHA512

      3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

      Download Submit

    • \Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      Filesize

      404KB

      MD5

      227c1f9fe7c7f6fb24a451a5ca84e722

      SHA1

      9c34be548c0b2affd930d05c1b315a5cbe9bca45

      SHA256

      bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a

      SHA512

      1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66

      Download Submit