Overview

overview

10

Static

static

10

Lunar-Installer.exe

windows11-21h2-x64

Analysis

  • max time kernel
    27s
  • max time network
    31s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-10-2024 00:39

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Lunar-Installer.exe

  • Size

    78KB

  • MD5

    198c4f987d10585ab6abe668843c70d3

  • SHA1

    d770c3f3a80bb49503b663b74cc78122e3aede55

  • SHA256

    c0f1b8ff2ed107498a16841b5ec6c24d35aa410ad89a0b1a5871a24efa42b981

  • SHA512

    98c72614c045d4f352bed445b1b2d9601692e8fbe16de2a3695a2d1d08f261e153cefcff7cbddc9b6cb06c7a662eb5fc8f53ef9329339eb89abf66a75c743294

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+yPIC:5Zv5PDwbjNrmAE++IC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5NjU5MTI0NDIwMTU2MjE1Mg.G4FACx.oywpgvxmAJilA5M2GHJk-y_hnGd-0gH9x4_Tz8

  • server_id

    1296544633794461808

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lunar-Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Lunar-Installer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3a7f855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1476-0-0x00007FFAE7833000-0x00007FFAE7835000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1476-1-0x000002ACFD8F0000-0x000002ACFD908000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1476-2-0x000002AD00000000-0x000002AD001C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1476-3-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1476-4-0x000002AC992B0000-0x000002AC997D8000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1476-5-0x00007FFAE7833000-0x00007FFAE7835000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1476-6-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1476-7-0x00007FFAE7830000-0x00007FFAE82F2000-memory.dmp

    Filesize

    10.8MB

    Download