74bdec0a83536cbe6a47030bb06a8a223369028b4ba9608ae1beba0107b0381f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luna-Grabber-1.5.5-alpha/luna.py
Size

51KB
MD5

951fec5c3c0cda1bee7f6a9250a5aac0
SHA1

5f560277ae47188a609c35bf9ca7d9577fbc727e
SHA256

89d19888f1a1e821cd40bc32ffe20dd28204c11ef6cca74cd82014786a15cab6
SHA512

5d079b4874d0576e503c80fb2238c807c9d5cc11ce61897c93e86aea8df6390b1d42cb654e4529c8b03209aa25f766703c8accc252a0e48d42408b9b0a2bcbae
SSDEEP

768:mNEv8SqFEIxK4R464G87yU/X4C+VJyj/sGDT8D79Rz1txlc:mGv8SwKQG0Jyj/xDT8D7Ntxlc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4296	OpenWith.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4440	4296	OpenWith.exe	102
PID 4296 wrote to memory of 4440	4296	OpenWith.exe	102

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-1.5.5-alpha\luna.py
1⤵
- Modifies registry class
PID:2040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-1.5.5-alpha\luna.py
  2⤵
  PID:4440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...