9984c879995a1ac07533eba9f8ccfb88b82e81c010331ea46a52427395cd7d06

Analysis

max time kernel
58s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lunar_Launcher.exe
Size

3.2MB
MD5

e6810402c4da84354ed06ad83ba5ffa8
SHA1

5d34d41750a512ffbbc49613acdea9ed7d3cc2f5
SHA256

9984c879995a1ac07533eba9f8ccfb88b82e81c010331ea46a52427395cd7d06
SHA512

38e185c2cf8fdf5baa3005f6562742f080260f16b202a2a75b9ed749631853f199543dabc7a96f8488198ad9fdebef1704a891f34ca675ae47179bcfb1ee532d
SSDEEP

98304:gwyrkJci8kn0p9zCFm0kR2wum3yMyRGBVMaGjTzJmg:PygJci8kK9zC80DmsuVEjTzIg

Score

7^/10

discovery

Malware Config

Signatures

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x000a000000023426-177.dat	net_reactor
behavioral2/memory/4916-186-0x00000000004A0000-0x0000000000DE8000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Lunar_Launcher.exe

Executes dropped EXE 1 IoCs

pid	Process
4916	Lunar S.exe

Loads dropped DLL 1 IoCs

pid	Process
4916	Lunar S.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
12	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lunar_Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lunar S.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3924	Lunar_Launcher.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3924	Lunar_Launcher.exe
Token: SeDebugPrivilege	4916	Lunar S.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4916	3924	Lunar_Launcher.exe	86
PID 3924 wrote to memory of 4916	3924	Lunar_Launcher.exe	86
PID 3924 wrote to memory of 4916	3924	Lunar_Launcher.exe	86

C:\Users\Admin\AppData\Local\Temp\Lunar_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Lunar_Launcher.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\Lunar S.exe
  "C:\Users\Admin\AppData\Local\Temp\Lunar S.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lunar S.exe

Filesize
9.3MB

MD5
36694cca2135f3a80e7edee51d03190a

SHA1
5089e53dda47e456c9da61b98fe73ce2649e0225

SHA256
ca487bad0fa294194e9c966c3e2130b60248d7cc2d34c233a50bb6ae46dcfc5e

SHA512
dc341145135140663ea94656604cfa35c1be87012a1ef411d212354e080daa2b45b975c44055c6afa1a86800dd2768ff77249c7ff8744b1c179be72685855da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\!Welcome!.txt

Filesize
17B

MD5
edcdb41da3e255a089e3286b6f392bdf

SHA1
446fee990631085500026cdd73bb81a2adaa4548

SHA256
63257a9f3e673d8dc24fefd7c21095a0b84ca0fac613acf355727103b158f02d

SHA512
31b55154b550002510f6f359f2a8ea6c8c4403d47fec2e8b2024c091cf211f57adefc933819038b2325a14eac26949087f488c154608d163d180db79ca4a4c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\Btools.txt

Filesize
526B

MD5
b429cc104ce8ce3b36f348cab76d4435

SHA1
1972ff2bd13840ebcdfb4e22038b57ace7656aed

SHA256
4efaeb501e792ae8ad8e75dbce370a9c68763889a48461695156ccb20e62806e

SHA512
38a46a53342231cc3e00cc9baa8d8ce31165b8139538124f6bb4adc16530f2efcc97b98533e2141c2a49d8aa5c6cd56718c9cd783e81c83fefc88ca512c34a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\Dex Explorer v2.txt

Filesize
632KB

MD5
317fec7c823a6ba4ad613220b587a0e8

SHA1
3884e8a9a9122e7912c76c919f20c1b9d274f505

SHA256
5573cc6f439511c5ec73b0c88af87bce49cac37475aa32da5b75b931f632a3dc

SHA512
d5adc2137051ab321197d0a2261ab991f5bf16e0271485c64b66679d863efb58191fe269fc40aa39feefd380b28d33168a6910b7ec40dedd2974e6d1d2db0bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\Dex Explorer.txt

Filesize
772KB

MD5
a39e58e282d7f358148657f364697868

SHA1
d0daa24f30aa7ce2e77b9ced33ffa328b306afa9

SHA256
694ee92839e98635a3597f19deeabfde45efa44399c08ae9602bab145cc3f141

SHA512
242868b3d3494f42a9dba7989149c947d4b2efa93ab277053bf711d4db782e6b8b2af2a7d607105126a2023ca9eaba12259c327d6bc7eb4944e17f99c81b1a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\DexV1.txt

Filesize
66B

MD5
ee34b30a428444dd46c632004b5b77fc

SHA1
1d7e21b3c6773658fa2d3810d34fb72c7a33fcdf

SHA256
c3da6449cbccdf23496010f27b5b0b11e605a115ba10478bf3f7ec4c89021298

SHA512
262f3677b48035f0a29b727fda7de68bf44bff752e15bf3fdaf74d9f9816050b8cd96cd72f1a39e0996b42bcb7b64545c9111f386ee5a3b7e5a491fc94b08845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\DexV4.txt

Filesize
65B

MD5
8ad7b0baa10fbec03960f028cd0c77e7

SHA1
c2384f1eaaad905e273e04b681a973e26958ae83

SHA256
3695fac890f7757822c873eafd5288b3b336a216d11b17155617774702af57e5

SHA512
17e8721d581301c0f6520752cf70be2a2afa6b13b6af42a07e5d09434e34e47df548079112f89dd267d9ce5e55a65f32209645a4eac2082bef2673d61365298c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\FPSBoost.txt

Filesize
2KB

MD5
b7d4143675b533a08c41036c65bb1a99

SHA1
9dfab0fa6bccbd30135648b407ebb0e5abaabe7d

SHA256
bdb7d1fb51886b7b3d955e6058ad9cfce18d745da4e595375c95a3ffc9640a79

SHA512
e71883d7c0855b1e50b4d193d18a9bb19fcf0ff2e26b13978e379dd6062b79510f90e0932b2f7196839cb29b9f4218027c3beef7edde5e98d37ef5b13e5c9518

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\Infinite Jump.txt

Filesize
630B

MD5
ad4f05b96d66f66c2e84e5215604e6e4

SHA1
78d97f41ed4e636a42585edcb9a7f295aff2eb30

SHA256
36e30599f3d04e5368f6637631ba0f247db210782fbe56edf942f0dabbe6aa3c

SHA512
b8e47cb0f831e8b64eb632eb5b1a81f30b3b45307a26a5b5cb69b5a9dc8f0cb4d97b25d8f8871a1d1e33d8f793d9b2791a710d37b7cd070342e0df33921f196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\Infinite Yield.txt

Filesize
430KB

MD5
51940272f2b31404bf8117f730abcf8b

SHA1
898e0cca063f05bb50155a724d7baf023e318ba6

SHA256
6a32640a247ecd1bfc15e5017b6b3f4266b1fe3002d4f6aaf78564ac89f644a1

SHA512
d1117df0c892eb3b6e0097376e45b99ebc79c1dc110ab9161a62f323508c71dcbeefdb4d055c0a9776a5fd45f9dc3dde567221be8cbc4b029dae38cbf066e10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\MM2.txt

Filesize
121B

MD5
fcfeae4283d34c4cca075bac0fe5eff3

SHA1
d6163e7a64d84e36f6759329fae168ae5e9dacc7

SHA256
66f0b49a3b4ec4aaf12853e2dc02d02baa42f3a42881f0dd171cb9a700613cba

SHA512
235b7c21043a34615c2b213f9be924cef0c3aeef6fd2c9d59dd135af154d8ccf3be55ba61a47dc7e1df4c26199c1bcce6c3d2058c839e23e31113246612607f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\NoClip.txt

Filesize
442B

MD5
fb058c937f0d722e65fdb325a51fb0e8

SHA1
1420b58a85d3453a5830b4fb1f3320b22c25c4db

SHA256
8d5d841f0a39a3095196032818a8065ddea5b9c7dfd492d437157b411e3c9645

SHA512
84a68d190a35bc10e1b3d9dde08159526f3994049c31b02861dc563e3a2ef9cb49e4c9189250a1e8b8b743297b41226ce2e827e2daad9fe159b46da67b15daa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scripts\Reviz Admin.txt

Filesize
120KB

MD5
a10505e68dcf830f169e85e731fea71b

SHA1
69b1701e45558c155c156745a92a8f2e3f1adc53

SHA256
ca631d1fa26945572f27973e77809e4c0f65befeb237980ce758c4f37eb9e257

SHA512
2fc44547072dfc7e173bed221b106c42f3cf2b5b983434b74594d5b26325de2fbacacff1d7592a741b68ace8c1b222c965fbd05fd8ca989d8ce89ed9bfeccd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\runtimes\win-x86\native\WebView2Loader.dll

Filesize
112KB

MD5
33f7fa1198c0bf4988a0210f144b20b4

SHA1
06d50e37389480f542c8e15ae2e85106bbe9c304

SHA256
8c1b0ae8b7e7aa402407f00f22efb1989e47aeaa9c6a1ffa98341672d9ecf6dc

SHA512
09905095729e37f00fde5ce967fb309c8e64c76bf0f6839fa27bede39b91d663684c8de05c16fda63699df73a78a23a60a367a5e9c56366d6c74424506a4454d

Download Submit
memory/3924-4-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/3924-8-0x000000000B510000-0x000000000B522000-memory.dmp

Filesize
72KB

Download
memory/3924-6-0x000000000A660000-0x000000000A66E000-memory.dmp

Filesize
56KB

Download
memory/3924-3-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/3924-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/3924-2-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/3924-188-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/3924-5-0x000000000A680000-0x000000000A6B8000-memory.dmp

Filesize
224KB

Download
memory/3924-7-0x000000000A6D0000-0x000000000A6DA000-memory.dmp

Filesize
40KB

Download
memory/3924-1-0x00000000006B0000-0x00000000009E0000-memory.dmp

Filesize
3.2MB

Download
memory/4916-206-0x0000000012C10000-0x0000000012CA2000-memory.dmp

Filesize
584KB

Download
memory/4916-203-0x0000000012210000-0x0000000012286000-memory.dmp

Filesize
472KB

Download
memory/4916-186-0x00000000004A0000-0x0000000000DE8000-memory.dmp

Filesize
9.3MB

Download
memory/4916-189-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4916-204-0x0000000012510000-0x0000000012532000-memory.dmp

Filesize
136KB

Download
memory/4916-205-0x0000000012A80000-0x0000000012A9E000-memory.dmp

Filesize
120KB

Download
memory/4916-185-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4916-190-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4916-209-0x0000000012BE0000-0x0000000012BE8000-memory.dmp

Filesize
32KB

Download
memory/4916-210-0x0000000012DC0000-0x0000000013114000-memory.dmp

Filesize
3.3MB

Download
memory/4916-212-0x0000000012D60000-0x0000000012D68000-memory.dmp

Filesize
32KB

Download
memory/4916-213-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4916-214-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download