hxxps://github[.]com/Smug246/Luna-Grabber

Analysis

max time kernel
1799s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Smug246/Luna-Grabber

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
28	camo.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133532854870525713"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe
Token: SeShutdownPrivilege	4496	chrome.exe
Token: SeCreatePagefilePrivilege	4496	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe
4496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 548	4496	chrome.exe	61
PID 4496 wrote to memory of 548	4496	chrome.exe	61
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 4844	4496	chrome.exe	90
PID 4496 wrote to memory of 1920	4496	chrome.exe	91
PID 4496 wrote to memory of 1920	4496	chrome.exe	91
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92
PID 4496 wrote to memory of 640	4496	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Smug246/Luna-Grabber
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ff009758,0x7ff8ff009768,0x7ff8ff009778
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1884,i,16236889803850757483,4794668074703082340,131072 /prefetch:2
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1884,i,16236889803850757483,4794668074703082340,131072 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1884,i,16236889803850757483,4794668074703082340,131072 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1884,i,16236889803850757483,4794668074703082340,131072 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1884,i,16236889803850757483,4794668074703082340,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1884,i,16236889803850757483,4794668074703082340,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1884,i,16236889803850757483,4794668074703082340,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 --field-trial-handle=1884,i,16236889803850757483,4794668074703082340,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ed5cf94f08af1000a070fead826a3b27

SHA1
3dae3df903b44f5ac09c01dfa17f5798ae18f0f1

SHA256
f535bc75c23aca3b88273fff95bbfe988b250e731fcc0612dd64e74d5970037d

SHA512
d7273c39b79a033f2c9996cab7cdf7958b3ef2d651030c1a9b641178e807a2632d380083a910940c80373274122d4fb53dd6c437842261af9cb7643446d78035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0e7c4088386bafb30ed08f35c9ccc1c6

SHA1
8b99b5344cd84932b19d5b4ce1a7a7acda12f48d

SHA256
60571308a5e60657985d1653a9a8bc2dd50992db6fd047dc0f62416a23cea07c

SHA512
9d9e4cb243f7edf8dfc86b8f7f0c1781224b2c5beb0adb3136aa9eeb2eb2d8e2e76ad300c0f94032815dc8fd8eccb1b2ca6a355f4a370e32437f2e2ef345ae95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
047ef4a676adc432474995fa40723df8

SHA1
3783d82a253a0f49f9b2ba5994c8db9895dbb155

SHA256
206c9833a300a42d1f47abf69cdda87c720ace9f4277eedd9940218b2f2a0869

SHA512
59df8f971dc85a93c2d0ace01b7750a3cbad05f6c55c756f28d909a9ab65fa5293a93b83e66a61ef58594bb6fdb01c509d5c320bd7f013d8552cc17bceadfb23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7142ab350e86f8403c74d47e00780e6f

SHA1
aa8f8f105f35a791e08df6b74927112d14efb255

SHA256
effc29cdf79f19fc066fb3967a8d2fdf5da794893be2972508e5aa37b26c8482

SHA512
44de59b69abfdb7ba4e398f815c7c2a7e771149314194a6898ca76cea29486efc0338f0e391a4838aa1081b570a5f8d129bc09d29432598c727b56db72fda01e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6873ed236287f195642f5d64bb64de74

SHA1
6e43a76a7ad4815d13c49317bc7da76c3205a789

SHA256
d321edc7e8c54d548ea71a3ebfa78538b89ece997adce19a898683d47e752a53

SHA512
de263205dce2e36befa025b8232a43dfda19540eabc8c6b49e560753a93a681526df8f37cd7f9c3ab70f0d36ae8a6f57fd5d9175d5f89238e590a2683fdc1513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit