Overview

overview

5

Static

static

3

Lunar Clie....3.exe

windows7-x64

4

Lunar Clie....3.exe

windows10-2004-x64

4

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...co.ico

windows7-x64

3

$PLUGINSDI...co.ico

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...nt.exe

windows7-x64

4

$R0/Uninst...nt.exe

windows10-2004-x64

5

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

uninstallerIcon.ico

windows7-x64

3

uninstallerIcon.ico

windows10-2004-x64

3

Analysis

  • max time kernel
    121s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    12-03-2024 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $R0/Uninstall Lunar Client.exe

  • Size

    404KB

  • MD5

    227c1f9fe7c7f6fb24a451a5ca84e722

  • SHA1

    9c34be548c0b2affd930d05c1b315a5cbe9bca45

  • SHA256

    bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a

  • SHA512

    1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66

  • SSDEEP

    3072:Wn77v00hEoDEtauTsqBGeQIfxqxAjDsksbfVl1snhl+l2L0Sa9/l7a4vZAzLmDVH:W740IEa+J+Rql1DKs2t0EyL+ya2

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe
    "C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Lunar Client.exe" | %SYSTEMROOT%\System32\find.exe "Lunar Client.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Lunar Client.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2672
        • C:\Windows\SysWOW64\find.exe
          C:\Windows\System32\find.exe "Lunar Client.exe"
          4⤵
            PID:2524
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://lunarclient.com/uninstaller/?installId=unknown
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      53e78b8c080bb6b957c82a778c0463ad

      SHA1

      0cd064b93267d7721d9560d40565ca215222c593

      SHA256

      b214a2a8a1ee574ffcd170ada8f8c27f3dda71875ef1d60e1d8674705857d939

      SHA512

      67c1d19e366019fbe4d18becd3c7ae23fac0d8ab3e2a5742c29f79468387e5dfd9d6d8f408a92618009d555edc6b41f2dfed6978674626e71d3f29bc4645eeac

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3fd9356b0ad3f871706ea53ff2d7b2c9

      SHA1

      14f7afb96d5e1b6a8988b506da615eba67dffea9

      SHA256

      09233aa83bbc088bbd51dd1dd57f9d054695d9cc77b329127a9c008588290d07

      SHA512

      19aea47c1dc16bd46c8d9ff6d274a30a9f8e7a317b48c5ffbf98def3d9f4bc0241428db0182bfbec4a6618f093164c89d1c26cf6ce3954dcc75a4abf71b28de8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3926d3966f8fed880c9cf6d46d4a4e49

      SHA1

      8f7109b17cde8734b13cdcb483649305667d69b3

      SHA256

      ae0a7e7d54d8328f8389588114da26a07fb44cb5fea1a9883de9ed3177d60c18

      SHA512

      8c8cff985c13783b146ddc92d3e456043c8aa9ea973adeacbf0e2ef3acf8c2e22d6c0d2e16ed58eaec88b1de7950209a236393f074750248784879048b3de877

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f4fa5e61618546b9cd334021a206a454

      SHA1

      d0b4946fb5d199589027e7dc0a74251af2e7c864

      SHA256

      6ffa6ebf8ad4e2fe8a3a52cd3fe8e6d4c6aada57fb89bafc2ee2411fecbd8344

      SHA512

      c1cb253622436c8bd1be0636c6bd2e7fe845cd530b6f04935f5b258d9fceda043e8191940237c0678cc360388634c2be1e1a76ddf2e84cc52e1d2ae99a4dfb60

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8e3e5ee71dabb30b2047bbbaf7ab71ac

      SHA1

      33d5818e8283035dbdc3dc84579053c8ac9cbed4

      SHA256

      3885929078b5452e8b427f1ad0f6d290f75d480c3343f83a72e5a9f4d5bd650e

      SHA512

      b69a8072046acd5d9743bd1dcfc8bd095b9eb81d989f05a5acee7b4fac11789c0976ad45d13027033a8c544e9330496714027fb7514ddbb542bd555c62300532

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      1507ef827ceb13539a8aa709800eb0e4

      SHA1

      c0c2672c6a795ef1c0dd9929d2089b95a962ebe4

      SHA256

      814491f2f8fd0b464716e9fa2af0a6578568e87fee29dd1909970ef2f33774f0

      SHA512

      d57bc94e5315cdd9a1fa01ae8b9821f35b34ae15abdd56bea43c708f910864af2d924c3b36379d1300e34a0258d3bf2055a9121a3bf8e48b88468c50821d2154

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d98b1b67ab48b9fc48087ea4eae2a3d9

      SHA1

      eea3a69f82d48dcfd55a51c1c7d1a7cd2d0307a2

      SHA256

      cfbabdd23ba7336748484d75840df30ced3bf2f848b83ccedcbdcd20a94f19d1

      SHA512

      516694aa1227d0a422563ca705733783573b2241e416af6a426b76ad2fc6108a40520082380761ad8492e626009d4698cc5c756998101bc30c92fb71c0f4e406

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      94e44e6c5c35bb317e7cbd9d2552301f

      SHA1

      8eb6a9134b40c500cb5ff14f6dce7199800d8689

      SHA256

      c72454645f397d4c825b92a059d937ac860e3d87e74e65fcc7569237c54f6b3f

      SHA512

      c2c0252ee88bb15ec07c14eb08f6d596ccb2926432b14ce29ac933fb6109ca124284f0851cd81e7de8e8ba7c3c045506403dff2d00af5ab85aa12310334c793c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      efd9e91a79b66461f66c7b059986092b

      SHA1

      f5c3f4935844bf58c69a342706111062ed1cee2c

      SHA256

      a0f581736e61d514c52bd13a5ab4d4976d86713e854a4e15f8f68abc5056901b

      SHA512

      506e59567e9b0f98d26dc949eb0a4ab4243434e97cba1126afeabf8cf151c2ae254e1073a9bc8d355f35f67cf37e4b3f418ae9e2d6cca060394155d0bc0e93f3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a32397fb7c7b2d08b1dc8e3e082a114f

      SHA1

      ae2b7e9f862f6964995b102f5e17c2e299dae8e7

      SHA256

      4f0851a8fb657a7830cbeebebb8f7e032f74a7021bbb47933cfce52d61948f5b

      SHA512

      7310b2f461d033ecbf771b1f7de49d67db8d4664b7ec21bc7fed3c9da9ef8f9baebe5badaaf6ba038945bbbb682664413844e29b4d2724101888254d0fca4cb1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2a35bd02319a645e55ef87f5a1fca3c9

      SHA1

      b5dfd5e1c799725e96ccd08a91ccd6788d7ab652

      SHA256

      8ea4ad5c0bc72f4bd91c21717ce28b3bd6b158a0b23b4ee6df3fd93860f6c496

      SHA512

      983300e59571ae0db28410ea5d422fa2b1b3ed2a53863513e297562b70f791133e24cc8d60f669bb564fe34533a02b6048d7a07c60c1c81fa0ee0ef48dcce8ef

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c2e5296930a4d58d346bdeed6eceecbd

      SHA1

      4db3991abc1f3a83ccdd2ffcc7e39c3182ee9eb3

      SHA256

      df074f598f4baafc9ec4a32fa0b427bdf3f69b536f198a3b147e50c227a36962

      SHA512

      282c8ba752dc9204d2b6c56751583c0ad5790a71db2920613e0598fe89ebe0fa5194f579a6124e2ad22bd841cf510872797be560802f2aed3bc95c8a782ebf3e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      63b945bd1a77c0fc7cb09e6ac03f9a5a

      SHA1

      d3d8383406233819e0af3aeed0b19908e1bf087b

      SHA256

      e23d86f8c162b1425bc89bc85a1cfe29d3cf53182e6af50d8f1b5cb966421632

      SHA512

      69c2cbdc44a320995c968f54fad789c2d10030d178cba7dcaabdf3fb76e4b19e9a2e8f4ad981d2840715bd7de5736c0f10c4f472d53fe22259fdef7636c3405c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fdf2a7151a183145a4fc56568e2a0feb

      SHA1

      e6074616b6806674a8fefc68486cc8199cb02f61

      SHA256

      1861636061bb2ee332d39aac7ef58d0b80bc6d5ce233b98553f307c6c0adf94d

      SHA512

      3e35d99598054728c3e99fed178e042951450255f957ff434551e67fb593f604e352c889c99138308777a897cc8fb2df73c414ce139f4ccb0f70f0592a3101f7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8f06f796895f2695f6b8e4bd7f43fe0e

      SHA1

      132f790085fd85e9cf253ffce080b9380154c09f

      SHA256

      565d42a915545cb034356453e5a581922d37cbdceac846824dfc32f6434f043a

      SHA512

      f995e39127ad1dc81d7575298e975dca22bfdec545238feef764151ee2b678f7f2b623995a084033577c863d99eb910c4a32acff42bbbda7ee5df8e2d2313c74

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      734331acee245016bb5040dd42667e22

      SHA1

      b523d3a20277c26b7a27d3149c2a737b5d1b802b

      SHA256

      338c0db811d972059cada1ff7996cdfe8ad6313bd9540733a60c142c86c1e8b8

      SHA512

      293500ff62081100c7eb4ff8d277c632f33d0540316f6a846ed8521ae3dad26538b92ef2fb8e709d12a8f6b1eee42b2ad686581dbdaa400f2a2a1dd633b170ae

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      23273484299004d65fda9837c74567db

      SHA1

      a2d1f86739b7cb5281fc489e16b4f5726c6deb14

      SHA256

      709ba40ddbd6c172785785ae80aa7810482a967df57e7966d0b87f407e8b392c

      SHA512

      6a16fa0f5702eb8168e49fd40e289593c43bc399aae3bd06715ed0160835017797055ffde3f01d4475c8cfbe204207d3266ef5ce979e31a8c30e6eaf3748f063

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d6bcbdeed6f94b487f7512d98e51593c

      SHA1

      cbfa019032d2a78b68fedfd52225f885405fe3aa

      SHA256

      ac2cb3f82a035692b29a4bc2842f884e2a8be69e50fd76fab3c6d15aee7b30ea

      SHA512

      af1a93fd47d62dc5860929db121c7696bd14efef99af4586320b971cfd4738eb7214e0efa328d89aa4b6533c9b1b39c40fd2a9c2a2568f63523062c892164d13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab391C.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar3A7A.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsd1768.tmp\StdUtils.dll
      Filesize

      100KB

      MD5

      c6a6e03f77c313b267498515488c5740

      SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

      SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

      SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsd1768.tmp\System.dll
      Filesize

      12KB

      MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

      SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

      SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

      SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsd1768.tmp\WinShell.dll
      Filesize

      3KB

      MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

      SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

      SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

      SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsd1768.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      ec0504e6b8a11d5aad43b296beeb84b2

      SHA1

      91b5ce085130c8c7194d66b2439ec9e1c206497c

      SHA256

      5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

      SHA512

      3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

      Download Submit

    • \Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      Filesize

      404KB

      MD5

      227c1f9fe7c7f6fb24a451a5ca84e722

      SHA1

      9c34be548c0b2affd930d05c1b315a5cbe9bca45

      SHA256

      bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a

      SHA512

      1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66

      Download Submit