Overview

overview

5

Static

static

3

lunar-clie..._3.exe

windows7-x64

4

lunar-clie..._3.exe

windows10-2004-x64

4

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...nt.exe

windows7-x64

4

$R0/Uninst...nt.exe

windows10-2004-x64

5

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    1558s
  • max time network
    1559s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $R0/Uninstall Lunar Client.exe

  • Size

    404KB

  • MD5

    227c1f9fe7c7f6fb24a451a5ca84e722

  • SHA1

    9c34be548c0b2affd930d05c1b315a5cbe9bca45

  • SHA256

    bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a

  • SHA512

    1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66

  • SSDEEP

    3072:Wn77v00hEoDEtauTsqBGeQIfxqxAjDsksbfVl1snhl+l2L0Sa9/l7a4vZAzLmDVH:W740IEa+J+Rql1DKs2t0EyL+ya2

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe
    "C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall Lunar Client.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Lunar Client.exe" | %SYSTEMROOT%\System32\find.exe "Lunar Client.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Lunar Client.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
        • C:\Windows\SysWOW64\find.exe
          C:\Windows\System32\find.exe "Lunar Client.exe"
          4⤵
            PID:2688
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://lunarclient.com/uninstaller/?installId=unknown
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2952

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Process Discovery

    1
    T1057

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
      Filesize

      914B

      MD5

      e4a68ac854ac5242460afd72481b2a44

      SHA1

      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

      SHA256

      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

      SHA512

      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
      Filesize

      252B

      MD5

      04f67483bcd2f65cb428f50bb1527423

      SHA1

      a77123d54f8212b08f30052d4ea46d4c9c16c857

      SHA256

      819193234c6c3166656337d58a0dae6a7e5fd89d41a30043a24541270f72dabd

      SHA512

      ab48302eb49cca26a91d37419878d44fc7e290e7f35add36faa9f6f7fe7e31f5641c2cbf6006f1a72122abb6ff459d8c589ddc92a6d1a384969a59a6337ead28

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a824ac9338585f145dea0f94ed09bd36

      SHA1

      0c260d6f392911d360d3e6cc135496328857bcd1

      SHA256

      3bd146c39f3700c3c31dd71c7cca0741835f55a8e35ecd067ef772366f479d43

      SHA512

      b4d48ab8832e25a78ce90defb3a5a4c7deef06141ced28565aa2f2f323b7f5b1455e38656ac9fb23bd3e5ae378734becbe7fac0d19416d39eabcef1957be81ad

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      227549f8713e85ac1eceec266aa6a4ad

      SHA1

      33e481309eea7e859f7899140c6b124430292416

      SHA256

      04c5365766f5f4ba3d9833533b7f2ae7be6ffb9d0624285d2d86dada7ff9f012

      SHA512

      2bba357f737bc6d90f2123cfe76c597e7000ed2a3d40d4af914b4d0f88507edaa8300c73e669345572b01c2965dd2869d0d0275497c6bb3684a2a4842d6d8140

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      936ce7ef5cc2ffd88b9674cc2aa78381

      SHA1

      3f793e25f46f760be0fb899c792af2dce5f136e0

      SHA256

      9ffba295c549d1b4d5bb7ab55b6a31af0ee4928116fc31172f1893c0d736eea1

      SHA512

      301bff0ffb09416660835690c480a3846e47b5c49d9b9816172546b250d4a6128ad9ae4aae26d3d9059cf7ab4590b2aa4c8ab2b38f645085caffd3187b89bb8a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      afddbe5bc426001b8b3ef2bf7574970a

      SHA1

      01fef68771104abdd20040675a6417720df333e5

      SHA256

      7fad4e72779fe128928a93f243c0bdc820b1505e692bc270667f7be0a39e520c

      SHA512

      57dcbb804f9aafaa5553121aa8210ebfc5c9daa037176f43377fd97f1aee78d5cb5c545acf378b923019fb53d1eb10debaf42651e621fb1d4a4ac7abfde6b7cf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7b7efe841fc623bca3e13001ebda8b4f

      SHA1

      dba0dacf094b051fbf1e802f47d6d6b20d469de9

      SHA256

      dc3fa039cfd9e3cd56eff74b0d9789056ad7f64c4b2afbcc9cacf97e690f2276

      SHA512

      2250a559c82cca51dbe0a9a19732c6a217780560fbe8f3b33db9e95686e3f0f94ded90656f4c33c6141a121a677d1ebe919517022d102db54282d1d3be42316a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      dc77bbf00f7c4856f651e9867304b6bd

      SHA1

      c02d5b321bbf38560d54700e1e8ea4065f9335d2

      SHA256

      4dd31da1064d53331cfa41b3b8420b08aac5af2f9df391ecff74786917719bf9

      SHA512

      d92b23daf5f916ff88d12e630797ac36e0259a8bd14c188547d71a4d5a37cbf12dd8e8eff837229e92b9b1f4968ed50717ce0681e47501c65200477ee0cb3161

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      75920290b6b0bf2a2b491277cfeb2284

      SHA1

      744dd735e5cd9770162474f0dab20f054ef65c89

      SHA256

      d656a9b7902ac2c1ef75173a3375fd5e8fe7eb4a296f810b31f06f1399f49ad0

      SHA512

      080fcbebb813f09d94fa3c6d0f518e4bd340475b989a5cb3fe51723078a5f0d21cbae7f32800416060d01702df73e98466fd0ee43aa8edf065c201de138824a1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      76f40f1a954c5768eb9326426f4a4bc1

      SHA1

      c0b2b0fb82104870550f9b99c1e8f1b1cf1ce56d

      SHA256

      9da598aec3f4f3dd03212c04e3ad6ba8be95130e1f6a28d6ec1059ed345350ae

      SHA512

      9e2d9d062c17ec287063ad9b04e9106245f4b60a7ae2d7e3f9fe67c53cc42a7008214dcf468d20d776a81d92c20def418bf95ba81700f8721f6be38a5ae1d90a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b51484582eb886e12b3b472f2025eb05

      SHA1

      d47e0d890043b9eddeadda8fadc13d5199561e0b

      SHA256

      b2a24064571b9c245e2ee098222461b619852e0baab36f1e5390656cd9886346

      SHA512

      5dd2cac346813a4d07cb815564c48ecd7b15be3be5a3b303116e48200c8c6d41f3fa58c3215d680030304404614ca9bd39d32f4a2a2b5f7046c94eeb5c082d63

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      cf75e6c98257c571cfd82446d6af2fad

      SHA1

      b521c6bc7dbab32af9cdab56717f029c438965b4

      SHA256

      ff19e2e4a1bf7ecc47bf00aefafa024e18e1909835e4a5745f0de92db502a461

      SHA512

      abc56457d2004b49c4ebc7323904678df7eca5722dd46a9a6506b28dc2579d2b626a6d108b66d88a1002bb6b49dfee614fb3e3984e9889983a2a47906e1c1699

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      87dd9cf2a8ebba27366b9d9c8162c96a

      SHA1

      9b55d18270b7b0392641f0714a5db3d65d30ed35

      SHA256

      fddea3bab2f8e608e30ca1c1f759c6be7f137d6c3719c7420c5b6c8e686631ad

      SHA512

      eab26bbb120f3b7f6538b091859a39659496700085094bfa4d8d34fd2b8e6abc688ef6aec6246155748dcc4fef6d83ff6547e5c780ebc512d8e6a7bf4102e285

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      947a8a43413681b83a70677c782f338a

      SHA1

      af64725409c546ff548dc41596cbd41b2b04d3b4

      SHA256

      60a449c2677eca83911307a571313acbdb41975058f1acb686f2df252eaf8e4a

      SHA512

      f36559415b720b74a993d94aa0e653cebd1adc1dd9a8cf3f76f94bfb2c01da7b5eead00e18f3d5f2ec2ccb0d6c6ea8c926f3e23ffe8ce8bcb62a42600b9fbdbc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      de923e8074184aeeb13c76c8dc0d73f3

      SHA1

      09ace8512908ef234c0dad1f6d16da497e40dc4e

      SHA256

      25b9468ea5cb6e9510d5a3b48488aa6d0436bc8e418952ce1b1d529e822d4282

      SHA512

      c060dbf0e1cf3275d28cea939deed2a3e82617abb954a7ca699d43196feda5480d4f8c5ff74b4a5dff459f61dab53b1f843551f0f0eda0b4953314de39938fb1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      a010f9640337f91dd747c28fe8d2542f

      SHA1

      3de198996dc19b70510c34b3c6553cb8e494962e

      SHA256

      7ace61109d0a998cdcecfdb762713a4f09e45493df727899b36760117fd7d38d

      SHA512

      f0b778248b4a1993df7cc0e830917793a2ffa928e9d27ba21e6b655d0c2e9d985327e2cd52a1b30618eaa180c5a4487c434a23271234186671e89d24c38f6965

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab30B1.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar31B6.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsd1102.tmp\StdUtils.dll
      Filesize

      100KB

      MD5

      c6a6e03f77c313b267498515488c5740

      SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

      SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

      SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsd1102.tmp\System.dll
      Filesize

      12KB

      MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

      SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

      SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

      SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsd1102.tmp\WinShell.dll
      Filesize

      3KB

      MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

      SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

      SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

      SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsd1102.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      ec0504e6b8a11d5aad43b296beeb84b2

      SHA1

      91b5ce085130c8c7194d66b2439ec9e1c206497c

      SHA256

      5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

      SHA512

      3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

      Download Submit
    • \Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      Filesize

      404KB

      MD5

      227c1f9fe7c7f6fb24a451a5ca84e722

      SHA1

      9c34be548c0b2affd930d05c1b315a5cbe9bca45

      SHA256

      bafcf2b563e935de1c9d2d55413d25b9a06a8ee8b4cdab49ba7bfe0bfb5c668a

      SHA512

      1fde79719e176eaa9f23211f9679d5406c219b2ae074227306001ea88c3c2f10c1ed1e0e52b10bc1e0ca9adc4cdc82d2da474ce7e59defaae816655ddc0fce66

      Download Submit