1696c0f354335754e99143a955410f83ec2e96cbb850bda00a3f6bc891ec04c6 | Triage

Analysis

max time kernel
6s
max time network
7s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/01/2025, 08:37

Sharing

Reason

Machine shutdown

Report Analysis Logs

General

Target

Lunar Client+破解/Lunar Client+启动器1号.cmd
Size

16B
MD5

28d6cb9798b70c6a201ef66402724d74
SHA1

e3268b06cc205d8b40aa3b5454d97766c36ec130
SHA256

ba543f40fab120657920115d60fc9953fc803f3a0114ca347671e057d15217b3
SHA512

1bee6a9a16f93bb658b470482ca07a1ca02ad6dae092d931c870e66ffd05f54d190e47cb00d4ecee5a9900a142aabfee5c536ae1aa8650c6a4d411354e48384e

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2300	shutdown.exe
Token: SeRemoteShutdownPrivilege	2300	shutdown.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2300	2520	cmd.exe	31
PID 2520 wrote to memory of 2300	2520	cmd.exe	31
PID 2520 wrote to memory of 2300	2520	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lunar Client+破解\Lunar Client+启动器1号.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2300

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2556-0-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download