Overview

overview

5

Static

static

3

Lunar Clie....3.exe

windows7-x64

4

Lunar Clie....3.exe

windows10-2004-x64

4

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...co.ico

windows7-x64

3

$PLUGINSDI...co.ico

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...nt.exe

windows7-x64

4

$R0/Uninst...nt.exe

windows10-2004-x64

5

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

uninstallerIcon.ico

windows7-x64

3

uninstallerIcon.ico

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-03-2024 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $R0/Uninstall Lunar Client.exe

  • Size

    404KB

  • MD5

    227c1f9fe7c7f6fb24a451a5ca84e722

  • SHA1

    9c34be548c0b2affd930d05c1b315a5cbe9bca45

  • SHA256

    bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a

  • SHA512

    1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66

  • SSDEEP

    3072:Wn77v00hEoDEtauTsqBGeQIfxqxAjDsksbfVl1snhl+l2L0Sa9/l7a4vZAzLmDVH:W740IEa+J+Rql1DKs2t0EyL+ya2

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe
    "C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Lunar Client.exe" | %SYSTEMROOT%\System32\find.exe "Lunar Client.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Lunar Client.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2412
        • C:\Windows\SysWOW64\find.exe
          C:\Windows\System32\find.exe "Lunar Client.exe"
          4⤵
            PID:2572
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://lunarclient.com/uninstaller/?installId=unknown
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2f4c0031699797ba08b3fd0d4d9334ca

      SHA1

      09b69778ae25b901a3ade31894458766e7510de2

      SHA256

      58d6dc51fb919a94873833f331db9a6d800cdd631603859406eeda1486c1c965

      SHA512

      24b44f8fe4de43d7435bfabedf6e4d5d19b9e3568105a258895fe8f0c0f3260d65292da7717c8154242d9457d75a7c3721899c82f16b4d9e51620fb218ec10d5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e6bdfc69ba8deeedf9593a5455b07ce8

      SHA1

      1ea6aaf0c0e0833652f06df5b765da4f2e3d5a4c

      SHA256

      ec74ab0d035ef16323b5bc615a42659cd2f95ceba91f0001f5af7459077c07f7

      SHA512

      5beb5bc3596a72da26c2f2abffdf7338c2a9839d11fa4a1a457bca3fde23097bb7f06740cae9c208be2ffa21acea7f017ed589a4a072a3bcad110af1b0dac375

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fc77ebaa60a9f4a9c62501897340ff06

      SHA1

      c20bc7e7f2c49e1c4b5e611cbf5319eafba7dd3c

      SHA256

      1f96c10009a8e3cf425a7734534a4594f4adebbecb67871cb15b10731616eb14

      SHA512

      9059ada21492716b545d15876df1d27d4366b9ee0035f9ab4a563cca4503310ce8f175059e5c9c24ebf27fcef13b0acd4bf203c6b69c09a4ed99afcbd7d9445b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      da036e032d0ee2ceee156429d20cdfd4

      SHA1

      9794777bd83c3cbff08eaf360b88a887c176e70b

      SHA256

      5e2c20cc08de064ad9529433fd192321573a37f73bb606da429489a67906ed17

      SHA512

      85569ff66cfa2c4e42b45d0b5d74d3a819801af1245cc7f128b9f2960cda42012ef300d166dfd90b9c40b7b5f3f1e6d2431506f91c300d71010d71ece86b3398

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      871e0ed2ae3e1ce92bbb1112339d06f6

      SHA1

      54abb4ef52f0abab9d2931b20ff0b162d1490cae

      SHA256

      bc13c33ecba59cc559847f191e8f0969f5d01ff9e8b8a76ccbf6a203ac1816f1

      SHA512

      2c1effa13e481515efd3e8883209ed7880876726f2517d41306815ca10fde464c4e726388037d9974e86523bd62458710827b993ad86e7d6c110b545a210f5fa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d7fb394bb1f2939fcde6a34a05bc3db0

      SHA1

      34059929ee991337d0521df8c88784fd60bfe69d

      SHA256

      c456b5d46cb4abea2b9c063b5051c55b9886af0ea783802c3ad9bf97270c3c60

      SHA512

      c75b1e7813a7955b42bd383d4cd845ba01e136d55e3c2a39806f817220054da98ea8d46be7434d7dc0934544fb5a40a452827fe0a8d4a7b2c06c85ad072d9dff

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      e0a12e82e0c0944b90bb2df0f20fce56

      SHA1

      e344a2295753b92edf9d961bceb38d49b09147a0

      SHA256

      73f1ea558dcba6153be2a659d9ee3c853b68712ac100ff7be1671e1d6703c7c7

      SHA512

      7280d67079f6bdf40611b5a86f03bc0a1b8ef07c62d317b48ba053af96642c81d92323dd61f399dd3840ec29e65a5a80ca24126949b1b6d8e831990a21b592d5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      003695ce3aa4a42a73670492a40f6606

      SHA1

      91cd6bb60e6206b1541a9a2c5796838f083d4080

      SHA256

      8ca9883c8bbe1a239d4cd78940b77f16f7c4a471be6d94250bee8fc3ed7aa4ff

      SHA512

      3842e9b7dd1520202388ef2b86ebd3bb86749741cd49b9103e18b5f467c35bb7f941f26d3c16413b510415903963a97519fc34433f8ac239dc639f473e8e1d12

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      95436eb377cfe0782975406729c8fe14

      SHA1

      e873c51839d4be3c7885f7d5cbe00a8581235b14

      SHA256

      19d5fbf79c939ddba8140b875358d2a02492a92b94c62359d4a42acfcfdb93ea

      SHA512

      f3868bab8e3aaaa4368f3c8cf44f2bc4c8727c19f211b108eff8217ec3907404cc47f39b248542df2f8fdcea0cafb0588cd623f0d54dcce79c70aca9a077dfed

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c80c861ae8a087d29bc09b7c78b425c7

      SHA1

      00165ad2b7f5b95ece996f60c40a4febaa6e5874

      SHA256

      cdf95ca52fd7f2d3865609d75c33845647a43752972f4fc7c53be1956cdbb8bd

      SHA512

      606ccf7f53c11dde57872c69631d059a97e788125907c844ffc1d2b4676b6e6ea172ec3fc65f9156e199019d4c9ccda6f0e36e66dd5519cba1264b839d9dc22b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      678f7e041be02d0a32c2c8282f95160c

      SHA1

      e46d2871fb9d78d43e41a432bf58d6e115eb6eaa

      SHA256

      2a7f8a1d816b59c2dd29b35b715a98a01cd4a6069468705d79cd28a1506c5c62

      SHA512

      3293b7990f93c27daf557a8f4698c06a5b16dfcb8c1824060aef979d1bd013d1cffdf40a1e5979856630094977cba309a3665d9604f92506774c0f66a73408e9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ff76ca8c26d5d7b5627bcd749e73d47c

      SHA1

      1fd473ec94eafedc1bb601e898a31558cc8860a9

      SHA256

      0ab30392b4b1efc9b23a47bdf2dede5a19d89d7fa0fd21d9eeb707348700de0b

      SHA512

      58b3bf81151f337dea5cee6957bdbd08b97387e766ccd631d20c8f1325b27f76ed01fb2530a4df6b45e9cf855194cef86ac117de17ef68a23d7d37d4097be231

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      66ec04c26961a9152539ab8b6c3a4fe7

      SHA1

      8dbe3864cc398899386c81ac911cab6ac122454e

      SHA256

      03040f9d1e772c3248d98c2e487f04fd0b89deed3c5a26256db917de23e651cf

      SHA512

      e07b31772e9cd5b8643ddac1f5781e6843b1d9cd9505c89b78d7933bdc7fed44cc838961c6981ef53b502d098701c0e050d0788a9977b15d82540e484559a51a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab68B4.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab6942.tmp
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar6986.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi48E3.tmp\StdUtils.dll
      Filesize

      100KB

      MD5

      c6a6e03f77c313b267498515488c5740

      SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

      SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

      SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi48E3.tmp\System.dll
      Filesize

      12KB

      MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

      SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

      SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

      SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi48E3.tmp\WinShell.dll
      Filesize

      3KB

      MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

      SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

      SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

      SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi48E3.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      ec0504e6b8a11d5aad43b296beeb84b2

      SHA1

      91b5ce085130c8c7194d66b2439ec9e1c206497c

      SHA256

      5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

      SHA512

      3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

      Download Submit

    • \Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      Filesize

      404KB

      MD5

      227c1f9fe7c7f6fb24a451a5ca84e722

      SHA1

      9c34be548c0b2affd930d05c1b315a5cbe9bca45

      SHA256

      bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a

      SHA512

      1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66

      Download Submit