Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

BUG32.exe

windows7-x64

BUG32.exe

windows10-2004-x64

Windows/Bonzify.exe

windows7-x64

8

Windows/Bonzify.exe

windows10-2004-x64

8

BossDaMajor.exe

windows7-x64

BossDaMajor.exe

windows10-2004-x64

Happy99.exe

windows7-x64

5

Happy99.exe

windows10-2004-x64

5

Magistr.exe

windows7-x64

1

Magistr.exe

windows10-2004-x64

1

Maldal.exe

windows7-x64

5

Maldal.exe

windows10-2004-x64

5

MeltingScreen.exe

windows7-x64

1

MeltingScreen.exe

windows10-2004-x64

1

Windows/Ra...ac.exe

windows7-x64

Windows/Ra...ac.exe

windows10-2004-x64

Windows/Ra...it.exe

windows7-x64

10

Windows/Ra...it.exe

windows10-2004-x64

10

Windows/Ra...or.exe

windows7-x64

Windows/Ra...or.exe

windows10-2004-x64

Windows/Ra...on.exe

windows7-x64

10

Windows/Ra...on.exe

windows10-2004-x64

7

Windows/Ra...ye.exe

windows7-x64

10

Windows/Ra...ye.exe

windows10-2004-x64

10

Windows/Ra...Eye.js

windows7-x64

10

Windows/Ra...Eye.js

windows10-2004-x64

10

Windows/Ra...ya.exe

windows7-x64

10

Windows/Ra...ya.exe

windows10-2004-x64

10

Windows/Ra...om.exe

windows7-x64

1

Windows/Ra...om.exe

windows10-2004-x64

1

Windows/Ra...om.exe

windows7-x64

3

Windows/Ra...om.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 22:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows/Ransomware/Monster Ransomware/XMoon.exe

  • Size

    669KB

  • MD5

    a690cce59e21f5198ca304243b084f9e

  • SHA1

    8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5

  • SHA256

    ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4

  • SHA512

    9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758

  • SSDEEP

    12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c

Score
7/10
ransomwareupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\system32\wusa.exe
        wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
        3⤵
          PID:1508
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
        2⤵
          PID:4220

      Network

      • flag-us
        DNS
        138.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        138.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        9.228.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        9.228.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        210.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        210.178.17.96.in-addr.arpa
        IN PTR
        Response
        210.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-210deploystaticakamaitechnologiescom
      • flag-us
        DNS
        41.110.16.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        41.110.16.96.in-addr.arpa
        IN PTR
        Response
        41.110.16.96.in-addr.arpa
        IN PTR
        a96-16-110-41deploystaticakamaitechnologiescom
      • flag-us
        DNS
        26.165.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.165.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        140.71.91.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        140.71.91.104.in-addr.arpa
        IN PTR
        Response
        140.71.91.104.in-addr.arpa
        IN PTR
        a104-91-71-140deploystaticakamaitechnologiescom
      • flag-us
        DNS
        202.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        202.178.17.96.in-addr.arpa
        IN PTR
        Response
        202.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-202deploystaticakamaitechnologiescom
      • flag-us
        DNS
        19.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        19.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        190.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        190.178.17.96.in-addr.arpa
        IN PTR
        Response
        190.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-190deploystaticakamaitechnologiescom
      • flag-us
        DNS
        10.179.89.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        10.179.89.13.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        138.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        138.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        9.228.82.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        9.228.82.20.in-addr.arpa

      • 8.8.8.8:53
        210.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        210.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        41.110.16.96.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        41.110.16.96.in-addr.arpa

      • 8.8.8.8:53
        26.165.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        26.165.165.52.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        140.71.91.104.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        140.71.91.104.in-addr.arpa

      • 8.8.8.8:53
        202.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        202.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        19.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        19.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        190.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        190.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        10.179.89.13.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        10.179.89.13.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\64.cab
        Filesize

        49KB

        MD5

        8cfa6b4acd035a2651291a2a4623b1c7

        SHA1

        43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

        SHA256

        6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

        SHA512

        e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\888.vbs
        Filesize

        280B

        MD5

        8be57121a3ecae9c90cce4adf00f2454

        SHA1

        aca585c1b6409bc2475f011a436b319e42b356d8

        SHA256

        35d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e

        SHA512

        85521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\aut52B5.tmp
        Filesize

        47KB

        MD5

        9dda4db9e90ff039ad5a58785b9d626d

        SHA1

        507730d87b32541886ec1dd77f3459fa7bf1e973

        SHA256

        fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

        SHA512

        4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wl.jpg
        Filesize

        119KB

        MD5

        bb86481ac1a7d726c358b6feed070d4e

        SHA1

        0f863774a54ad7cf8bbe2ec6790bec5f89a4c901

        SHA256

        be9af97d373820186e6493ec85f051091ed8f813602a999832754621403b280e

        SHA512

        b1c249f6448bdfee90eaeddd77fb38c45f085a8a51f81defe9313c56111cb1360a95a453cdafa363f976b2bc26cadf48dc098ddc69a928cb09ea5bbd00b33417

        Download Submit

      • memory/2416-170-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-167-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-168-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-169-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-0-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-171-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-172-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-174-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-175-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-176-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-177-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-178-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-179-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-180-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2416-181-0x0000000000400000-0x0000000000506000-memory.dmp

        Filesize

        1.0MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.