Overview

overview

10

Static

static

10

MoonHub.exe

windows10-ltsc 2021-x64

10

MoonHub.exe

windows11-21h2-x64

Resubmissions

15-01-2025 15:15

250115-sm889awng1 10

15-01-2025 07:58

250115-jt4snsxraq 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    15-01-2025 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MoonHub.exe

  • Size

    55KB

  • MD5

    d33c25da94cb95d1e34f9d22cfd51f99

  • SHA1

    b0e82ba0f916dd2e104e612c9a5dc73a96a7b2e1

  • SHA256

    f434f44ae7c461b9f88f955cc0977cbf0ae163267b38b5e6ad7989dbcc2d5047

  • SHA512

    460d29f349edf87720b4841bbbd5f8c9b63c81b11d893b9625622ef5912e1f6ded6c85fbe2ed670a31788df9eb4c1d149994cc14f23413d62023e51a2b30e5e1

  • SSDEEP

    1536:V/pMDnE4uNRty4XzPhhDVwsNMDHXExI3pm+m:rMDnlYk4XdhDVwsNMDHXExI3pm

Score
10/10
njratniggerdiscoveryevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

nigger

C2

2.tcp.eu.ngrok.io:13018

Mutex

49a48a7812fddb0d43bb9f70f2221a57

Attributes
  • reg_key

    49a48a7812fddb0d43bb9f70f2221a57

  • splitter

    Y262SUCZ4UJJ

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Njrat family
    njrat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
    "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4144
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:2980
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1128
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc query windefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\sc.exe
        sc query windefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc stop windefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\sc.exe
        sc stop windefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc delete windefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\sc.exe
        sc delete windefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1972
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn CleanSweepCheck /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1116
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3516
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\SysWOW64\reg.exe
        reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4956
    • C:\Users\Admin\AppData\Local\Temp\cad99bcd42bc4efd81e2d88f3383ca1e.exe
      "C:\Users\Admin\AppData\Local\Temp\cad99bcd42bc4efd81e2d88f3383ca1e.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:2420
  • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
    "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:992
  • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
    "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1332
  • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
    "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4384
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:4336

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    System Services

    1
    T1569

    Service Execution

    1
    T1569.002

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Service Stop

    1
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MoonHub.exe.log
      Filesize

      319B

      MD5

      cdab7719c71b2844a3e7ff9e41894b8a

      SHA1

      8e6e0e55695e468eb3c237f21340c9d30cab922c

      SHA256

      e84a57ed5465aaca393476f6271a2413dddad154cbae40827c4639bfc0b3e3eb

      SHA512

      ec92e8fc3ce02336eea401f9db823ac0a2ad87bb41130f493e72f3c5ca100a461d6296a710afcc93e1fe1fc8630c5e0029e17f58583520077a3c80ad794d9dc9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
      Filesize

      55KB

      MD5

      d33c25da94cb95d1e34f9d22cfd51f99

      SHA1

      b0e82ba0f916dd2e104e612c9a5dc73a96a7b2e1

      SHA256

      f434f44ae7c461b9f88f955cc0977cbf0ae163267b38b5e6ad7989dbcc2d5047

      SHA512

      460d29f349edf87720b4841bbbd5f8c9b63c81b11d893b9625622ef5912e1f6ded6c85fbe2ed670a31788df9eb4c1d149994cc14f23413d62023e51a2b30e5e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4mdojo3.spu.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cad99bcd42bc4efd81e2d88f3383ca1e.exe
      Filesize

      436KB

      MD5

      a9d32c2ea6c4957e4bfef9fb0dabd8d8

      SHA1

      5dac99e3da8846602382c57a3fc24ccc4613ea20

      SHA256

      d167d7de10c0a15976d2877b5ce0bae62f1c9825e07880c58a1a3e01d2126144

      SHA512

      b88f6707dda39ea2c509e6ae050339c054648fa0dd5d5385b53bb75f7f3a3feacdf69f580796701d7cc45e779456da4205f466352779ab0a0616581c7615b31e

      Download Submit

    • memory/1128-24-0x0000000006530000-0x000000000657C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1128-43-0x00000000078B0000-0x00000000078BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1128-3-0x000000007234E000-0x000000007234F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1128-7-0x0000000072340000-0x0000000072AF1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1128-8-0x00000000056E0000-0x0000000005DAA000-memory.dmp

      Filesize

      6.8MB

      Download

    • memory/1128-9-0x00000000055A0000-0x00000000055C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1128-10-0x0000000005E20000-0x0000000005E86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1128-11-0x0000000005F00000-0x0000000005F66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1128-48-0x0000000072340000-0x0000000072AF1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1128-45-0x0000000072340000-0x0000000072AF1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1128-22-0x0000000006070000-0x00000000063C7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1128-23-0x00000000064E0000-0x00000000064FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1128-44-0x0000000007AD0000-0x0000000007B66000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1128-26-0x000000006EB90000-0x000000006EBDC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1128-25-0x00000000076F0000-0x0000000007722000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1128-36-0x0000000072340000-0x0000000072AF1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1128-38-0x0000000072340000-0x0000000072AF1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1128-37-0x00000000076B0000-0x00000000076CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1128-39-0x0000000072340000-0x0000000072AF1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1128-40-0x0000000007730000-0x00000000077D3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1128-41-0x0000000007E90000-0x000000000850A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1128-42-0x0000000007850000-0x000000000786A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1128-5-0x0000000004E80000-0x0000000004EB6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2420-65-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

      Download

    • memory/4144-0-0x00000000745C2000-0x00000000745C3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4144-21-0x00000000745C0000-0x0000000074B71000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4144-4-0x00000000745C2000-0x00000000745C3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4144-6-0x00000000745C0000-0x0000000074B71000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4144-2-0x00000000745C0000-0x0000000074B71000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4144-1-0x00000000745C0000-0x0000000074B71000-memory.dmp

      Filesize

      5.7MB

      Download