1696c0f354335754e99143a955410f83ec2e96cbb850bda00a3f6bc891ec04c6 | Triage

Analysis

max time kernel
7s
max time network
7s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/01/2025, 08:37

Sharing

Reason

Machine shutdown

Report Analysis Logs

General

Target

Lunar Client+破解/Lunar/Lunar Client+.cmd
Size

16B
MD5

b774e34f342dd3b17ce325bee2d7441d
SHA1

f97de0cb1aaf26d8ab9de39d72cc559f9b04a89e
SHA256

2aaae0bca455c8427d4364fedd8482ef1d90c2cbaaa9b095db838c53bf534b18
SHA512

9ae2b5b3c49f746f0d87f82ad3b1d7314a2735bc323f2bd954eb2ead11e2857d047f62613f1f678864560e9a1d9e0cd0b4f98526f0b3723872e2c4440d726ca4

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2272	shutdown.exe
Token: SeRemoteShutdownPrivilege	2272	shutdown.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2272	1016	cmd.exe	29
PID 1016 wrote to memory of 2272	1016	cmd.exe	29
PID 1016 wrote to memory of 2272	1016	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lunar Client+破解\Lunar\Lunar Client+.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2444-0-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download