524753508a50c33f404a87441625e1d9967d0c1a11b31c534e2d60b838fb1589

General

Target

cracked_lunar.exe
Size

6.7MB
MD5

a935a661746292c72c43f96a685fb148
SHA1

464e4e832670ced5441b507a85fe79a4bdeb4802
SHA256

524753508a50c33f404a87441625e1d9967d0c1a11b31c534e2d60b838fb1589
SHA512

68e9a17255eab3ad2ae27442d1921a084c882ec59b6a498fbf3e8ab3e6b06b8c78a9e33871051b5bf9e5c974cf5b381433b1fdfd3b4ba2369ca91269de52bcf3
SSDEEP

196608:Bfv8S5dQmRrdA6ly8Qnf2ODjMnGydS8GSyrDOQWl3:1l5dQOl6F3MnG38GSyrDPY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
3388	cracked_lunar.exe
3388	cracked_lunar.exe
2392	cracked_lunar.exe
2392	cracked_lunar.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	taskmgr.exe
Token: SeSystemProfilePrivilege	1960	taskmgr.exe
Token: SeCreateGlobalPrivilege	1960	taskmgr.exe
Token: 33	1960	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1960	taskmgr.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3388	4688	cracked_lunar.exe	84
PID 4688 wrote to memory of 3388	4688	cracked_lunar.exe	84
PID 2676 wrote to memory of 2392	2676	cracked_lunar.exe	114
PID 2676 wrote to memory of 2392	2676	cracked_lunar.exe	114

C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe
"C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe
  "C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe"
  2⤵
  - Loads dropped DLL
  PID:3388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3120

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1960

C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe
"C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe
  "C:\Users\Admin\AppData\Local\Temp\cracked_lunar.exe"
  2⤵
  - Loads dropped DLL
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI46882\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46882\base_library.zip

Filesize
1.7MB

MD5
334e5d6e591eccd91d2121194db22815

SHA1
821d70c44dc7f25a784e9938d74e75a3471e1ad0

SHA256
9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5

SHA512
bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46882\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
memory/1960-30-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-19-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-20-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-18-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-29-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-28-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-27-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-26-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-25-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download
memory/1960-24-0x00000238A4650000-0x00000238A4651000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing