Overview
overview
8Static
static
3lunar-clie..._3.exe
windows7-x64
4lunar-clie..._3.exe
windows10-2004-x64
4$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...nt.exe
windows7-x64
4$R0/Uninst...nt.exe
windows10-2004-x64
5$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
278s -
max time network
412s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
lunar-client-v3_2_3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
lunar-client-v3_2_3.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
$R0/Uninstall Lunar Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$R0/Uninstall Lunar Client.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
Errors
General
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
0d7ad4f45dc6f5aa87f606d0331c6901
-
SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457
-
SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
-
SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
SSDEEP
192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 197 raw.githubusercontent.com 198 raw.githubusercontent.com 199 raw.githubusercontent.com 196 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
salinewin.exedescription ioc process File opened for modification \??\PhysicalDrive0 salinewin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4708 3476 WerFault.exe rundll32.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
salinewin.exesalinewin.exepid process 1376 salinewin.exe 700 salinewin.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exesalinewin.execmd.exedescription pid process target process PID 556 wrote to memory of 3476 556 rundll32.exe rundll32.exe PID 556 wrote to memory of 3476 556 rundll32.exe rundll32.exe PID 556 wrote to memory of 3476 556 rundll32.exe rundll32.exe PID 700 wrote to memory of 656 700 salinewin.exe cmd.exe PID 700 wrote to memory of 656 700 salinewin.exe cmd.exe PID 700 wrote to memory of 656 700 salinewin.exe cmd.exe PID 656 wrote to memory of 5492 656 cmd.exe reg.exe PID 656 wrote to memory of 5492 656 cmd.exe reg.exe PID 656 wrote to memory of 5492 656 cmd.exe reg.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 6123⤵
- Program crash
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.0.1677501368\486823999" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {694ffbf2-3913-4d86-9574-10f5498d98a2} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 1908 15bacded858 gpu1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.1.454362856\147905112" -parentBuildID 20221007134813 -prefsHandle 2296 -prefMapHandle 2292 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc3aa67d-838c-451d-968b-cd8638f24c74} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 2308 15bacafa558 socket1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.2.1941627509\928995319" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a9cf9f-5d64-4fbc-89d7-33c647897958} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 2932 15bb0945f58 tab1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.3.629177718\384159708" -childID 2 -isForBrowser -prefsHandle 2352 -prefMapHandle 1384 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43ef4031-cd01-4897-8f28-05b125219e72} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 1220 15ba0371658 tab1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.4.171017485\2022747708" -childID 3 -isForBrowser -prefsHandle 3788 -prefMapHandle 3796 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d151f8cd-7144-46c5-a232-74bb9ca73084} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 3808 15ba0362858 tab1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.5.1487308996\1417739115" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4976 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db8934f1-0783-4a53-a745-4ae9a1eab63b} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 4964 15bb0e47258 tab1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.6.1762244600\2039826197" -childID 5 -isForBrowser -prefsHandle 4704 -prefMapHandle 2708 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dff3765-a6b6-489b-8a65-0b15c06cb07e} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 5116 15bb2a58a58 tab1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.7.1150561757\203959409" -childID 6 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8af7eb40-2fd2-4607-a242-20f6b1610d0f} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 5136 15bb2a5ab58 tab1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3476 -ip 34761⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.8.26098988\810619475" -childID 7 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26471 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b06f01-dacc-4bdd-be4f-5d89fd160468} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 3124 15bb2808a58 tab1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.9.1747148195\1280206440" -childID 8 -isForBrowser -prefsHandle 4312 -prefMapHandle 5376 -prefsLen 26734 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c012fd6c-80f1-4a83-aa94-28b9cd2984e6} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 4560 15baf718d58 tab1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.10.2018674685\383642897" -childID 9 -isForBrowser -prefsHandle 5944 -prefMapHandle 5868 -prefsLen 26734 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f6bbc7a-5e2f-4568-a876-59c8e4af7186} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 6048 15bb497a358 tab1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.11.1169107545\1389374028" -childID 10 -isForBrowser -prefsHandle 4428 -prefMapHandle 4416 -prefsLen 26734 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5841226e-3651-4766-93c5-33dcda6903f7} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 5804 15bb486d458 tab1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x4f01⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bc055 /state1:0x41c64e6d1⤵