b59d4d38c6c98590709bcb7e4299a4e10306b29d46a56c5e8a6bb274bd4bef31

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows/Ransomware/Monster Ransomware/XMoon.exe
Size

669KB
MD5

a690cce59e21f5198ca304243b084f9e
SHA1

8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
SHA256

ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
SHA512

9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758
SSDEEP

12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c

Score

10^/10

evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroCop.lnk	XMoon.exe

Loads dropped DLL 2 IoCs

pid	Process
2576	migwiz.exe
2704	XMoon.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral21/memory/2704-0-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/files/0x000600000001946b-174.dat	upx
behavioral21/memory/2704-184-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-194-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-204-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-214-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-226-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-236-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-246-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-256-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-267-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-277-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-287-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-297-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-309-0x0000000000400000-0x0000000000506000-memory.dmp	upx
behavioral21/memory/2704-318-0x0000000000400000-0x0000000000506000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	XMoon.exe
File opened (read-only)	\??\p:	XMoon.exe
File opened (read-only)	\??\y:	XMoon.exe
File opened (read-only)	\??\z:	XMoon.exe
File opened (read-only)	\??\a:	XMoon.exe
File opened (read-only)	\??\b:	XMoon.exe
File opened (read-only)	\??\h:	XMoon.exe
File opened (read-only)	\??\t:	XMoon.exe
File opened (read-only)	\??\v:	XMoon.exe
File opened (read-only)	\??\e:	XMoon.exe
File opened (read-only)	\??\k:	XMoon.exe
File opened (read-only)	\??\l:	XMoon.exe
File opened (read-only)	\??\m:	XMoon.exe
File opened (read-only)	\??\o:	XMoon.exe
File opened (read-only)	\??\r:	XMoon.exe
File opened (read-only)	\??\u:	XMoon.exe
File opened (read-only)	\??\w:	XMoon.exe
File opened (read-only)	\??\g:	XMoon.exe
File opened (read-only)	\??\i:	XMoon.exe
File opened (read-only)	\??\j:	XMoon.exe
File opened (read-only)	\??\x:	XMoon.exe
File opened (read-only)	\??\q:	XMoon.exe
File opened (read-only)	\??\s:	XMoon.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral21/memory/2704-184-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-194-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-204-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-214-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-226-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-236-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-246-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-256-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-267-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-277-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-287-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-297-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-309-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe
behavioral21/memory/2704-318-0x0000000000400000-0x0000000000506000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\migwiz\$dpx$.tmp\895a9f0a86146c47a6d543ee02e5039b.tmp	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\cryptbase.dll	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp\job.xml	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp	wusa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	XMoon.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	XMoon.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1156	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe
2704	XMoon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	migwiz.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2316	2704	XMoon.exe	28
PID 2704 wrote to memory of 2316	2704	XMoon.exe	28
PID 2704 wrote to memory of 2316	2704	XMoon.exe	28
PID 2704 wrote to memory of 2316	2704	XMoon.exe	28
PID 2316 wrote to memory of 2156	2316	cmd.exe	30
PID 2316 wrote to memory of 2156	2316	cmd.exe	30
PID 2316 wrote to memory of 2156	2316	cmd.exe	30
PID 2704 wrote to memory of 2904	2704	XMoon.exe	31
PID 2704 wrote to memory of 2904	2704	XMoon.exe	31
PID 2704 wrote to memory of 2904	2704	XMoon.exe	31
PID 2704 wrote to memory of 2904	2704	XMoon.exe	31
PID 2904 wrote to memory of 2576	2904	WScript.exe	32
PID 2904 wrote to memory of 2576	2904	WScript.exe	32
PID 2904 wrote to memory of 2576	2904	WScript.exe	32
PID 2576 wrote to memory of 2620	2576	migwiz.exe	33
PID 2576 wrote to memory of 2620	2576	migwiz.exe	33
PID 2576 wrote to memory of 2620	2576	migwiz.exe	33
PID 2620 wrote to memory of 1156	2620	cmd.exe	35
PID 2620 wrote to memory of 1156	2620	cmd.exe	35
PID 2620 wrote to memory of 1156	2620	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\wusa.exe
    wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2156
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\System32\migwiz\migwiz.exe
    "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.cab

Filesize
47KB

MD5
9dda4db9e90ff039ad5a58785b9d626d

SHA1
507730d87b32541886ec1dd77f3459fa7bf1e973

SHA256
fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

SHA512
4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.cab

Filesize
49KB

MD5
8cfa6b4acd035a2651291a2a4623b1c7

SHA1
43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

SHA256
6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

SHA512
e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

Download Submit
C:\Users\Admin\AppData\Local\Temp\888.vbs

Filesize
280B

MD5
8be57121a3ecae9c90cce4adf00f2454

SHA1
aca585c1b6409bc2475f011a436b319e42b356d8

SHA256
35d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e

SHA512
85521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wl.jpg

Filesize
119KB

MD5
bb86481ac1a7d726c358b6feed070d4e

SHA1
0f863774a54ad7cf8bbe2ec6790bec5f89a4c901

SHA256
be9af97d373820186e6493ec85f051091ed8f813602a999832754621403b280e

SHA512
b1c249f6448bdfee90eaeddd77fb38c45f085a8a51f81defe9313c56111cb1360a95a453cdafa363f976b2bc26cadf48dc098ddc69a928cb09ea5bbd00b33417

Download Submit
C:\Windows\System32\migwiz\CRYPTBASE.dll

Filesize
106KB

MD5
1deeaa34fc153cffb989ab43aa2b0527

SHA1
7a58958483aa86d29cba8fc20566c770e1989953

SHA256
c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a

SHA512
abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86

Download Submit
\Users\Admin\AppData\Local\Temp\x.exe

Filesize
669KB

MD5
a690cce59e21f5198ca304243b084f9e

SHA1
8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5

SHA256
ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4

SHA512
9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758

Download Submit
memory/2704-204-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-246-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-184-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-194-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-207-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/2704-214-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-226-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-236-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-177-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/2704-256-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-267-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-277-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-287-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-297-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-309-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2704-318-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download