Overview

overview

6

Static

static

3

lunar-clie..._3.exe

windows7-x64

4

lunar-clie..._3.exe

windows10-2004-x64

4

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

6

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...nt.exe

windows7-x64

4

$R0/Uninst...nt.exe

windows10-2004-x64

5

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    1382s
  • max time network
    1170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/INetC.dll

  • Size

    238KB

  • MD5

    38caa11a462b16538e0a3daeb2fc0eaf

  • SHA1

    c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

  • SHA256

    ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

  • SHA512

    777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

  • SSDEEP

    3072:hD2ekNFXiQraqoDDfbrH6ZgxkzStPpwGxqeujXj5Bif/Pa0L:hD2vhaqoDfb6mxk2LqHXj3if/Pa

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
      2⤵
        PID:532
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 624
          3⤵
          • Program crash
          PID:864
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 532 -ip 532
      1⤵
        PID:3444
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9589e843he605h4fadh99f3hb3aa5719ecf4
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff87e6846f8,0x7ff87e684708,0x7ff87e684718
          2⤵
            PID:4504
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4877517080541698329,5543765484353675864,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
            2⤵
              PID:3212
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4877517080541698329,5543765484353675864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3412
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4877517080541698329,5543765484353675864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
              2⤵
                PID:4264
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:1848
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:4824
                • C:\Windows\system32\SystemSettingsAdminFlows.exe
                  "C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
                  1⤵
                  • Enumerates connected drives
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:4408
                • C:\Windows\System32\vdsldr.exe
                  C:\Windows\System32\vdsldr.exe -Embedding
                  1⤵
                    PID:4232
                  • C:\Windows\System32\vds.exe
                    C:\Windows\System32\vds.exe
                    1⤵
                    • Checks SCSI registry key(s)
                    PID:1468

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    62677bdc196e22a7b4c8a595efb130cd

                    SHA1

                    bd2adf18caf764c8f034c08b6269d9693875f3c8

                    SHA256

                    b540616d7e73ff22642f4fbe2bea0f9daa2f1166391e76cf817b2a93e0bd41d6

                    SHA512

                    d23c3b9662eea6a75382242fb8e8084abc1127afbd2632f161df71a2aefaf223621511e1bf6229cf7e86313101a8d9dfe2f20e1c0bd481066e1969cd6fa75e32

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    450ffee7354671560094350e0b06e892

                    SHA1

                    bb1183b7b5b70384bf2a026a0d419929651c8d0e

                    SHA256

                    01e811fe3156c8924199c69f2aab1806da5b006294fa88512831f45f8522a598

                    SHA512

                    6a0cf0e1646c1a4901c2256e9574b2d00753b6469ba63e3634e793e54c619943f69af1fb5a374a1d062ae98cccb60ad46d39fd31922d1e2d835a978f3dda940c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                    Filesize

                    8KB

                    MD5

                    33c24c9168935a7fb480c6b2c294f315

                    SHA1

                    88f3645e09ba3f052ef0656bab05c73c3e641d6d

                    SHA256

                    c0eb32b2e57ccf35b9469c3948fcd98f241a97e4b947ddf443d7a5026014016a

                    SHA512

                    e85b47befab468c1a7f41939f463caf04e60f69328a60b9c6f44bafffe3eb92930b841a28ec493209f47d202b4d7046953225e66683a0f433ca400e72d5526eb

                    Download Submit

                  • \??\pipe\LOCAL\crashpad_1940_GLUHOCIVUGJCDKXM
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit