Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
LUNA RAIDER.exe
Resource
win7-20231129-en
General
-
Target
LUNA RAIDER.exe
-
Size
8.2MB
-
MD5
0437fa16eec1dedfd1ddf69afcccbf0f
-
SHA1
1649d8123ebbbc26857b0383efbbc8c329f23161
-
SHA256
01b82e741a88ef644df41689744f4a883d25f4ea3ad172b0a7c61b9d7eddd712
-
SHA512
5e995a9b3ec1cee80700f4c7f264b09f826a67bdfc65c67bb848815f5289656580e3f62853e0397da0a425ba28fabe385674320d53c36363abab2b2497de5eb2
-
SSDEEP
196608:b2qInJf+oTjOGNW+8u8tMmo/UIaIZQHFUQsGZgqBPtgsV:b2qIn4GN8osIVZQu6gAFgk
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4364-7-0x0000000005660000-0x0000000005856000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LUNA RAIDER.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation LUNA RAIDER.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4364-10-0x0000000006140000-0x00000000062CE000-memory.dmp agile_net behavioral2/memory/4364-11-0x00000000074D0000-0x000000000761E000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
LUNA RAIDER.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS LUNA RAIDER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer LUNA RAIDER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion LUNA RAIDER.exe -
Modifies registry class 2 IoCs
Processes:
LUNA RAIDER.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings LUNA RAIDER.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 1572 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
LUNA RAIDER.exedescription pid process Token: SeDebugPrivilege 4364 LUNA RAIDER.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 1572 OpenWith.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
LUNA RAIDER.execmd.exedescription pid process target process PID 4364 wrote to memory of 4688 4364 LUNA RAIDER.exe cmd.exe PID 4364 wrote to memory of 4688 4364 LUNA RAIDER.exe cmd.exe PID 4364 wrote to memory of 4688 4364 LUNA RAIDER.exe cmd.exe PID 4688 wrote to memory of 5144 4688 cmd.exe choice.exe PID 4688 wrote to memory of 5144 4688 cmd.exe choice.exe PID 4688 wrote to memory of 5144 4688 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4364-0-0x000000007486E000-0x000000007486F000-memory.dmpFilesize
4KB
-
memory/4364-1-0x0000000000140000-0x0000000000986000-memory.dmpFilesize
8.3MB
-
memory/4364-2-0x0000000005A40000-0x0000000005FE4000-memory.dmpFilesize
5.6MB
-
memory/4364-3-0x00000000053B0000-0x0000000005442000-memory.dmpFilesize
584KB
-
memory/4364-4-0x0000000005330000-0x0000000005342000-memory.dmpFilesize
72KB
-
memory/4364-5-0x0000000005460000-0x000000000546A000-memory.dmpFilesize
40KB
-
memory/4364-6-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4364-7-0x0000000005660000-0x0000000005856000-memory.dmpFilesize
2.0MB
-
memory/4364-8-0x0000000005FF0000-0x000000000613E000-memory.dmpFilesize
1.3MB
-
memory/4364-9-0x0000000005960000-0x0000000005974000-memory.dmpFilesize
80KB
-
memory/4364-10-0x0000000006140000-0x00000000062CE000-memory.dmpFilesize
1.6MB
-
memory/4364-11-0x00000000074D0000-0x000000000761E000-memory.dmpFilesize
1.3MB
-
memory/4364-12-0x0000000007650000-0x0000000007680000-memory.dmpFilesize
192KB
-
memory/4364-13-0x00000000076A0000-0x00000000077B6000-memory.dmpFilesize
1.1MB
-
memory/4364-14-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4364-15-0x0000000009FE0000-0x000000000A01C000-memory.dmpFilesize
240KB
-
memory/4364-16-0x000000000A020000-0x000000000A03A000-memory.dmpFilesize
104KB
-
memory/4364-20-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB