Overview
overview
10Static
static
7716335ba5c...ac.exe
windows7-x64
716335ba5c...ac.exe
windows10-2004-x64
Ransomware...ac.exe
windows7-x64
Ransomware...ac.exe
windows10-2004-x64
1BadRabbit.exe
windows7-x64
10BadRabbit.exe
windows10-2004-x64
10Ransomware...it.exe
windows7-x64
10Ransomware...it.exe
windows10-2004-x64
10tunamor.exe
windows7-x64
tunamor.exe
windows10-2004-x64
Ransomware...or.exe
windows7-x64
Ransomware...or.exe
windows10-2004-x64
XMoon.exe
windows7-x64
10XMoon.exe
windows10-2004-x64
7Ransomware...on.exe
windows7-x64
10Ransomware...on.exe
windows10-2004-x64
7GoldenEye.exe
windows7-x64
10GoldenEye.exe
windows10-2004-x64
10GoldenEye.js
windows7-x64
10GoldenEye.js
windows10-2004-x64
10Ransomware...ye.exe
windows7-x64
10Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows7-x64
10Ransomware...Eye.js
windows10-2004-x64
10NotPetya.exe
windows7-x64
10NotPetya.exe
windows10-2004-x64
10Ransomware...ya.exe
windows7-x64
10Ransomware...ya.exe
windows10-2004-x64
10Ransomware...om.exe
windows7-x64
1Ransomware...om.exe
windows10-2004-x64
1Ransomware...om.exe
windows7-x64
6Ransomware...om.exe
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:13
Behavioral task
behavioral1
Sample
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
tunamor.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
tunamor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
XMoon.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
XMoon.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Ransomware/Monster Ransomware/XMoon.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Ransomware/Monster Ransomware/XMoon.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
GoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
GoldenEye.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
NotPetya.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
NotPetya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Ransomware/Trojan.Ransom.NotPetya/NotPetya.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Ransomware/Trojan.Ransom.NotPetya/NotPetya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.exe
Resource
win10v2004-20240226-en
General
-
Target
XMoon.exe
-
Size
669KB
-
MD5
a690cce59e21f5198ca304243b084f9e
-
SHA1
8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
-
SHA256
ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
-
SHA512
9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758
-
SSDEEP
12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroCop.lnk XMoon.exe -
Loads dropped DLL 2 IoCs
pid Process 2432 migwiz.exe 1704 XMoon.exe -
resource yara_rule behavioral13/memory/1704-0-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/files/0x00080000000146c4-148.dat upx behavioral13/memory/1704-161-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-170-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-171-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-181-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-192-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-204-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-214-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-224-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-234-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-244-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-256-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-266-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-276-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-286-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral13/memory/1704-298-0x0000000000400000-0x0000000000506000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: XMoon.exe File opened (read-only) \??\n: XMoon.exe File opened (read-only) \??\o: XMoon.exe File opened (read-only) \??\t: XMoon.exe File opened (read-only) \??\v: XMoon.exe File opened (read-only) \??\e: XMoon.exe File opened (read-only) \??\b: XMoon.exe File opened (read-only) \??\l: XMoon.exe File opened (read-only) \??\p: XMoon.exe File opened (read-only) \??\q: XMoon.exe File opened (read-only) \??\r: XMoon.exe File opened (read-only) \??\w: XMoon.exe File opened (read-only) \??\z: XMoon.exe File opened (read-only) \??\a: XMoon.exe File opened (read-only) \??\k: XMoon.exe File opened (read-only) \??\u: XMoon.exe File opened (read-only) \??\x: XMoon.exe File opened (read-only) \??\y: XMoon.exe File opened (read-only) \??\i: XMoon.exe File opened (read-only) \??\h: XMoon.exe File opened (read-only) \??\j: XMoon.exe File opened (read-only) \??\s: XMoon.exe File opened (read-only) \??\g: XMoon.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral13/memory/1704-161-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-170-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-171-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-181-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-192-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-204-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-214-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-224-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-234-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-244-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-256-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-266-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-276-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-286-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral13/memory/1704-298-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\migwiz\$dpx$.tmp wusa.exe File created C:\Windows\system32\migwiz\$dpx$.tmp\8b91f7d3aa1c6c48b90af39c2cb3392d.tmp wusa.exe File opened for modification C:\Windows\system32\migwiz\cryptbase.dll wusa.exe File opened for modification C:\Windows\system32\migwiz\$dpx$.tmp\job.xml wusa.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" XMoon.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DPX\setuperr.log wusa.exe File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\Logs\DPX\setupact.log wusa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop XMoon.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2908 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe 1704 XMoon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2432 migwiz.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1628 1704 XMoon.exe 28 PID 1704 wrote to memory of 1628 1704 XMoon.exe 28 PID 1704 wrote to memory of 1628 1704 XMoon.exe 28 PID 1704 wrote to memory of 1628 1704 XMoon.exe 28 PID 1628 wrote to memory of 2556 1628 cmd.exe 30 PID 1628 wrote to memory of 2556 1628 cmd.exe 30 PID 1628 wrote to memory of 2556 1628 cmd.exe 30 PID 1704 wrote to memory of 2572 1704 XMoon.exe 31 PID 1704 wrote to memory of 2572 1704 XMoon.exe 31 PID 1704 wrote to memory of 2572 1704 XMoon.exe 31 PID 1704 wrote to memory of 2572 1704 XMoon.exe 31 PID 2572 wrote to memory of 2432 2572 WScript.exe 32 PID 2572 wrote to memory of 2432 2572 WScript.exe 32 PID 2572 wrote to memory of 2432 2572 WScript.exe 32 PID 2432 wrote to memory of 2436 2432 migwiz.exe 33 PID 2432 wrote to memory of 2436 2432 migwiz.exe 33 PID 2432 wrote to memory of 2436 2432 migwiz.exe 33 PID 2436 wrote to memory of 2908 2436 cmd.exe 35 PID 2436 wrote to memory of 2908 2436 cmd.exe 35 PID 2436 wrote to memory of 2908 2436 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\XMoon.exe"C:\Users\Admin\AppData\Local\Temp\XMoon.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\wusa.exewusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2556
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\migwiz\migwiz.exe"C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:2908
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD59dda4db9e90ff039ad5a58785b9d626d
SHA1507730d87b32541886ec1dd77f3459fa7bf1e973
SHA256fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe
SHA5124cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a
-
Filesize
49KB
MD58cfa6b4acd035a2651291a2a4623b1c7
SHA143571537bf2ce9f8e8089fadcbf876eaf4cf3ae9
SHA2566e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9
SHA512e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685
-
Filesize
280B
MD58be57121a3ecae9c90cce4adf00f2454
SHA1aca585c1b6409bc2475f011a436b319e42b356d8
SHA25635d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e
SHA51285521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72
-
Filesize
119KB
MD5bb86481ac1a7d726c358b6feed070d4e
SHA10f863774a54ad7cf8bbe2ec6790bec5f89a4c901
SHA256be9af97d373820186e6493ec85f051091ed8f813602a999832754621403b280e
SHA512b1c249f6448bdfee90eaeddd77fb38c45f085a8a51f81defe9313c56111cb1360a95a453cdafa363f976b2bc26cadf48dc098ddc69a928cb09ea5bbd00b33417
-
Filesize
106KB
MD51deeaa34fc153cffb989ab43aa2b0527
SHA17a58958483aa86d29cba8fc20566c770e1989953
SHA256c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a
SHA512abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86
-
Filesize
669KB
MD5a690cce59e21f5198ca304243b084f9e
SHA18aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
SHA256ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
SHA5129e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758