Overview
overview
10Static
static
3LastMoonSetup.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Epsilon.exe
windows10-2004-x64
10LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...dex.js
windows10-2004-x64
1resources/....2.bat
windows10-2004-x64
7resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
60s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-fr -
resource tags
arch:x64arch:x86image:win10v2004-20240319-frlocale:fr-fros:windows10-2004-x64systemwindows -
submitted
25-03-2024 11:25
Static task
static1
Behavioral task
behavioral1
Sample
LastMoonSetup.exe
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral4
Sample
Epsilon.exe
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral5
Sample
LICENSES.chromium.html
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral6
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral7
Sample
ffmpeg.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral8
Sample
libEGL.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral9
Sample
libGLESv2.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral10
Sample
resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/index.js
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral11
Sample
resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/screenCapture_1.3.2.bat
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral12
Sample
resources/elevate.exe
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral13
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral14
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral15
Sample
vk_swiftshader.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral16
Sample
vulkan-1.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240319-fr
windows10-2004-x64
General
-
Target
LICENSES.chromium.html
-
Size
5.2MB
-
MD5
27206d29e7a2d80ee16f7f02ee89fb0f
-
SHA1
3cf857751158907166f87ed03f74b40621e883ef
-
SHA256
2282bc8fe1798971d5726d2138eda308244fa713f0061534b8d9fbe9453d59ab
-
SHA512
390c490f7ff6337ee701bd7fc866354ef1b821d490c54648459c382ba63c1e8c92229e1b089a3bd0b701042b7fa9c6d2431079fd263e2d6754523fce200840e2
-
SSDEEP
12288:/7etnqnVnMnBnunQ9RBvjYJEi400/Q599b769B9UOE6MwMGucMEbHDuX0YnpWQZO:sFEc5FeWSPZza8yUMmfSHCHWJ4pps
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558397071659072" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2524 chrome.exe 2524 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2524 chrome.exe 2524 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 4972 2524 chrome.exe 93 PID 2524 wrote to memory of 4972 2524 chrome.exe 93 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 3244 2524 chrome.exe 95 PID 2524 wrote to memory of 388 2524 chrome.exe 96 PID 2524 wrote to memory of 388 2524 chrome.exe 96 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97 PID 2524 wrote to memory of 1668 2524 chrome.exe 97
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb589e9758,0x7ffb589e9768,0x7ffb589e97782⤵PID:4972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:22⤵PID:3244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:82⤵PID:388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:82⤵PID:1668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:12⤵PID:1164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:12⤵PID:5100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:82⤵PID:4480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:82⤵PID:1236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:82⤵PID:4144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1916,i,16261322503783129173,13599294648550992422,131072 /prefetch:82⤵PID:1212
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=fr --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=760 --field-trial-handle=2216,i,9564891391713588331,6164210617699118586,262144 --variations-seed-version /prefetch:81⤵PID:2308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5b7ebd2ce50a826a78b0bf02356185383
SHA1d2ce3fef38e6142d92c70020e1341033f5bc99f5
SHA2567087e917fb6e55f9381e294226acc8e952dfbdcd68e62a154cae4d954320bca1
SHA512789e997b379989dee9a203f98ac0024b4f3514fb48f642a36ef31af603f531a80f6e11ce3d2c5ae5727640931fa1350923da0ae80dedf0fb7379aeda88354106
-
Filesize
6KB
MD5c594a949801377799a2ab1eb47e7c18b
SHA148d9e64425c151345afad0986375b5bc40b662c4
SHA256b75ae67cf0c685a7e7533a4b447b744568e5902c099f3e0186f78c5bc4a8e68f
SHA5121138abbe6e4ffe88388f2bb432721565f28f584a76a7c44a156d185ab9df2972e7051b9134ad9edcad3bcef9cbdabcf4c99827cf03579aed1a3ac8dc16549eee
-
Filesize
137KB
MD593a1945719f8268cd99d283012ed8ca0
SHA17462f1c42ee5892aa6ef238707b673e1aaa2a18f
SHA256ba25533d33d331fe653174a0333756c71aa57dd6b1f3ee29f6dbf1ad0e0aa459
SHA512fd972e7bbc833e0e99560436452657e068f986533a3371df8e84627831ec12274012391de3bbc9bdda09ef9635acb32d391a9d80f308ee5f6ca36ae94deef22c
-
Filesize
136KB
MD5555c7f64d818dd9c8fab8fe652b46dab
SHA155332d16efddc92c00eb7210f20d8de56d3a76a2
SHA2568180fbb51e46c4c2beb1507b762d222b2df55e8f30fab989f74a9c88224a507c
SHA512a06ac0d1d3b0280897c824de113e10916d53d7c62063cb38026a141a1cf1ebe99fa4f9bffe041511b1651c893b4b15e9696dab652099621ee35b5d2f20b14900
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd