General
-
Target
https://github.com/LunaExec/LunaExec
-
Sample
250119-p74bysykcw
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/LunaExec/LunaExec
Resource
win10ltsc2021-20250113-en
Malware Config
Targets
-
-
Target
https://github.com/LunaExec/LunaExec
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Discovery
Browser Information Discovery
1Network Share Discovery
1Process Discovery
1Query Registry
5System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1