Overview
overview
7Static
static
7Lunar Clie...er.exe
windows7-x64
4Lunar Clie...er.exe
windows10-2004-x64
4$PLUGINSDI...p.html
windows7-x64
3$PLUGINSDI...p.html
windows10-2004-x64
3$PLUGINSDI...x.html
windows7-x64
3$PLUGINSDI...x.html
windows10-2004-x64
3$PLUGINSDI...app.js
windows7-x64
3$PLUGINSDI...app.js
windows10-2004-x64
3$PLUGINSDI...uts.js
windows7-x64
3$PLUGINSDI...uts.js
windows10-2004-x64
3$PLUGINSDI...dle.js
windows7-x64
3$PLUGINSDI...dle.js
windows10-2004-x64
3$PLUGINSDI...min.js
windows7-x64
3$PLUGINSDI...min.js
windows10-2004-x64
6$PLUGINSDI...ons.js
windows7-x64
3$PLUGINSDI...ons.js
windows10-2004-x64
3$PLUGINSDI...ics.js
windows7-x64
3$PLUGINSDI...ics.js
windows10-2004-x64
3$PLUGINSDI...nds.js
windows7-x64
3$PLUGINSDI...nds.js
windows10-2004-x64
3$PLUGINSDI...ies.js
windows7-x64
3$PLUGINSDI...ies.js
windows10-2004-x64
3$PLUGINSDI...ate.js
windows7-x64
3$PLUGINSDI...ate.js
windows10-2004-x64
3$PLUGINSDI...der.js
windows7-x64
3$PLUGINSDI...der.js
windows10-2004-x64
3$PLUGINSDI...ils.js
windows7-x64
3$PLUGINSDI...ils.js
windows10-2004-x64
3$PLUGINSDI...ler.js
windows7-x64
3$PLUGINSDI...ler.js
windows10-2004-x64
3$PLUGINSDI...ate.js
windows7-x64
3$PLUGINSDI...ate.js
windows10-2004-x64
3Resubmissions
22/10/2024, 19:51
241022-yk8gtstckl 722/10/2024, 19:48
241022-yjkpdatbnk 721/10/2024, 21:25
241021-z9xx3axema 7Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2024, 19:48
Behavioral task
behavioral1
Sample
Lunar Client - Installer.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Lunar Client - Installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/app/cmp.html
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/app/cmp.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/app/index.html
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/app/index.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/app/js/app.js
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/app/js/app.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/app/js/block_inputs.js
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/app/js/block_inputs.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/app/js/libs/cmp.bundle.js
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/app/js/libs/cmp.bundle.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/app/js/libs/jquery-1.10.2.min.js
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/app/js/libs/jquery-1.10.2.min.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/app/js/models/notifications.js
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/app/js/models/notifications.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/app/js/utils/analytics.js
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/app/js/utils/analytics.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/app/js/utils/commands.js
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/app/js/utils/commands.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/app/js/utils/cookies.js
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/app/js/utils/cookies.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/app/js/utils/modal-events-delegate.js
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/app/js/utils/modal-events-delegate.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/app/js/utils/strings-loader.js
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/app/js/utils/strings-loader.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/app/js/utils/utils.js
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/app/js/utils/utils.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/app/js/windows/cri/cri-controller.js
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/app/js/windows/cri/cri-controller.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/app/js/windows/cri/template.js
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/app/js/windows/cri/template.js
Resource
win10v2004-20241007-en
General
-
Target
$PLUGINSDIR/app/js/libs/jquery-1.10.2.min.js
-
Size
90KB
-
MD5
44e3f0db3e4ab6fedc5758c05cf27591
-
SHA1
2d408aa1d35661019c95adcc60b78c0727ed25b4
-
SHA256
bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144
-
SHA512
4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc
-
SSDEEP
1536:O4mCgi8DyCuXXFiJ+L0kJQsJVPEKuQRZdC/RAfDknv+p0WzH/Io9Z7qABZnu0JFV:OGsKYAI2p0WP9bDrJ7fak
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 344 unregmp2.exe Token: SeCreatePagefilePrivilege 344 unregmp2.exe Token: SeShutdownPrivilege 3344 wmplayer.exe Token: SeCreatePagefilePrivilege 3344 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3344 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3344 wrote to memory of 896 3344 wmplayer.exe 111 PID 3344 wrote to memory of 896 3344 wmplayer.exe 111 PID 3344 wrote to memory of 896 3344 wmplayer.exe 111 PID 896 wrote to memory of 344 896 unregmp2.exe 112 PID 896 wrote to memory of 344 896 unregmp2.exe 112
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app\js\libs\jquery-1.10.2.min.js1⤵PID:4896
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:4784
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\OutConvertTo.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
PID:1736
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\OutConvertTo.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
PID:3884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD52b1039cf0b6d90ed67b37999ad9c4a88
SHA1dd33ad9c1f8e60455eff5267b687079b12373da4
SHA256e69afb87d5e91ce354e732dcecbbf7f5566cda14d2041e3316e9cc8045c8ee72
SHA5120ee8491ff174bb41a1410b4bec57a1b8d38feb9ad18f3a1aaab35b092a0193f20b640af0c16c3eb3755f0e6642d7c5baae3a35c3c07e3869a66b96935857fa33
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD55433eab10c6b5c6d55b7cbd302426a39
SHA1c5b1604b3350dab290d081eecd5389a895c58de5
SHA25623dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5850c3a082ccdac56b751f528d6a703cf
SHA18ca18642f863ff5111720e97fa5d3e9d3027dea1
SHA2566ea924895c28ae5d8aaefa6748e487a80c79ed0f6262df28bd755b215bf01af3
SHA512ffcf9b0000c117163b6a7961488cbf3f41f4441de8178462bdb2e590e4ce28f26f053ffc83cf0b554501971ddaa50a1bf94a59034a8dbc4a0e084b285d4cd579
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD537bd2c57d991d73310e4f2de2cf67fc6
SHA1937ad6bfaa583513cfbd180d8119a366f8c67d7f
SHA2562d624d9d62a141e47ca2e68f6cd37624719e48ff92bba517eb7fbaab758d21ae
SHA512d966cfcc8574580a535f2992237e04f1acc7ee25117ff08229827f068106800b873a0c217b5bee55eebaa6fa896a39715a66842bb34c27907f550a390e41f703
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD50d0d27256b45a5655259b95359af0055
SHA151bff56944ed8df695b19d790f651b91da462952
SHA256393cf676da125538fedcfcdc6d32e593ba55819bcff8c7c270f36fab0183cca5
SHA512c36cb201a37fabd1e8029f2c1109e9760392510f61f762097aca714c8bee961133eb9e87ac7d2c208654855f5fb0395dfcd8f30352888cc6f96be4983c50465f