560b03c4ba18e5a443f74a69727db0eabac6f455bb836757d620cc51615a92ea

General

Target

Lunar Client v3.2.3.exe
Size

1.0MB
MD5

0814a485d44ded97e275e8e80f6c17ca
SHA1

69862f6fb82651f3a097fe7554440537ea0f1a90
SHA256

560b03c4ba18e5a443f74a69727db0eabac6f455bb836757d620cc51615a92ea
SHA512

bd9abe5bd35d21bb57be9e757a6e7293f9e71738045fff6b53788e36bd442d1b8af21ea38a528ea0910434cc32ac610fbaf4200a6faf615828f47d8b74987dbd
SSDEEP

24576:s2Oawk0MDhozjDu173pG1szLSvJwnHNiTWQC:MkPDhEjK73pfqvCHH

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe

Loads dropped DLL 2 IoCs

Processes:

Lunar Client v3.2.3.exe

pid process

2116 Lunar Client v3.2.3.exe
2116 Lunar Client v3.2.3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2116	Lunar Client v3.2.3.exe
2116	Lunar Client v3.2.3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEvlc.exevlc.exe

pid process

1048 WINWORD.EXE
1048 WINWORD.EXE
4132 vlc.exe
5032 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vlc.exevlc.exe

pid process

4132 vlc.exe
5032 vlc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

unregmp2.exe

description pid process

Token: SeShutdownPrivilege 2096 unregmp2.exe
Token: SeCreatePagefilePrivilege 2096 unregmp2.exe

pid	process
1048	WINWORD.EXE
1048	WINWORD.EXE
4132	vlc.exe
5032	vlc.exe

description	pid	process
Token: SeShutdownPrivilege	2096	unregmp2.exe
Token: SeCreatePagefilePrivilege	2096	unregmp2.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

vlc.exevlc.exe

pid	process
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
4132	vlc.exe
5032	vlc.exe
5032	vlc.exe
5032	vlc.exe
5032	vlc.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

vlc.exevlc.exe

pid process

4132 vlc.exe
4132 vlc.exe
4132 vlc.exe
4132 vlc.exe
4132 vlc.exe
4132 vlc.exe
4132 vlc.exe
4132 vlc.exe
4132 vlc.exe
5032 vlc.exe
5032 vlc.exe
5032 vlc.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXEvlc.exevlc.exe

pid process

1048 WINWORD.EXE
1048 WINWORD.EXE
1048 WINWORD.EXE
1048 WINWORD.EXE
1048 WINWORD.EXE
1048 WINWORD.EXE
4132 vlc.exe
5032 vlc.exe

pid	process
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
4132	vlc.exe
5032	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	process	target process
PID 2228 wrote to memory of 2012	2228	wmplayer.exe	setup_wm.exe
PID 2228 wrote to memory of 2012	2228	wmplayer.exe	setup_wm.exe
PID 2228 wrote to memory of 2012	2228	wmplayer.exe	setup_wm.exe
PID 2228 wrote to memory of 3080	2228	wmplayer.exe	unregmp2.exe
PID 2228 wrote to memory of 3080	2228	wmplayer.exe	unregmp2.exe
PID 2228 wrote to memory of 3080	2228	wmplayer.exe	unregmp2.exe
PID 3080 wrote to memory of 2096	3080	unregmp2.exe	unregmp2.exe
PID 3080 wrote to memory of 2096	3080	unregmp2.exe	unregmp2.exe

C:\Users\Admin\AppData\Local\Temp\Lunar Client v3.2.3.exe
"C:\Users\Admin\AppData\Local\Temp\Lunar Client v3.2.3.exe"
1⤵
- Loads dropped DLL
PID:2116

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
PID:2012

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" C:\Users\Admin\Desktop\UnblockRevoke.midi
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" C:\Users\Admin\Desktop\DebugCheckpoint.tif
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
b16816056b74a37c73ab27406e50d70b

SHA1
0182e40c5d69baf191388f1fd734f148bcae72ac

SHA256
cac9d5d25feb8aaedd7810596e56bd1cba927966a0de111755fb6a8115bd50c4

SHA512
5fe230ce20d9db9d0aab10e60fd3368509cb94486e865bf603a4b1feba2229d75a841f605e35b492c882e1c92bbffe12600b140ae9173faa94efb763f7bc36d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv9367.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv9367.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
a26b8df0b59f6f87661ee3dcd0455d18

SHA1
ca705f3ce89fcd2a418849a0e926a6fdf84c7916

SHA256
b2816844276e27dc2a5192bfa65198f42506182e0deed451dbb71fc6dd7cbe8d

SHA512
b6ee23cda25cc1277b3f684d44dfe396903ef3aa574cd53d27701b9a2943ff99f967e1cde1c754f4dcb8d1589ac25f3591c73d446a21842d2b8997212a7244e5

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
528B

MD5
b7b561aab69877f8df4158d8d0a72854

SHA1
079bc9686544de1ed4c6d112fa87c29a73fd4966

SHA256
018d5764d878dca359ab104d2feaa37355342be03c4011be819d54be7d58eefe

SHA512
f90dd09ee3d04bcbf3257916a7eb855e09d38c95f6d09cd8cda6cb9faab99424e4539162a2a9181a2c45850f381a94f5bd811211944d3aca2745813fe7d1df74

Download Submit
memory/1048-31-0x00007FFE3DF80000-0x00007FFE3DF90000-memory.dmp

Filesize
64KB

Download
memory/1048-49-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-20-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-16-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-22-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-23-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-24-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-25-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-26-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-27-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-28-0x00007FFE3DF80000-0x00007FFE3DF90000-memory.dmp

Filesize
64KB

Download
memory/1048-29-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-30-0x00007FFE7F2E0000-0x00007FFE7F39D000-memory.dmp

Filesize
756KB

Download
memory/1048-18-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-46-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-47-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-48-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-21-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-50-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-51-0x00007FFE7F2E0000-0x00007FFE7F39D000-memory.dmp

Filesize
756KB

Download
memory/1048-19-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-17-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/1048-14-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-13-0x00007FFE406B0000-0x00007FFE406C0000-memory.dmp

Filesize
64KB

Download
memory/1048-15-0x00007FFE80620000-0x00007FFE80829000-memory.dmp

Filesize
2.0MB

Download
memory/4132-100-0x00007FFE5FD40000-0x00007FFE5FFF4000-memory.dmp

Filesize
2.7MB

Download
memory/4132-101-0x00007FFE5E860000-0x00007FFE5F90B000-memory.dmp

Filesize
16.7MB

Download
memory/4132-102-0x00007FFE5DF30000-0x00007FFE5E042000-memory.dmp

Filesize
1.1MB

Download
memory/4132-99-0x00007FFE71C20000-0x00007FFE71C54000-memory.dmp

Filesize
208KB

Download
memory/4132-98-0x00007FF789D30000-0x00007FF789E28000-memory.dmp

Filesize
992KB

Download
memory/5032-113-0x00007FF789D30000-0x00007FF789E28000-memory.dmp

Filesize
992KB

Download
memory/5032-114-0x00007FFE71C20000-0x00007FFE71C54000-memory.dmp

Filesize
208KB

Download
memory/5032-115-0x00007FFE5FD40000-0x00007FFE5FFF4000-memory.dmp

Filesize
2.7MB

Download
memory/5032-116-0x00007FFE5F600000-0x00007FFE5F712000-memory.dmp

Filesize
1.1MB

Download
memory/5032-117-0x00007FFE5E4F0000-0x00007FFE5F59B000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads