Overview
overview
10Static
static
7716335ba5c...ac.exe
windows7-x64
716335ba5c...ac.exe
windows10-2004-x64
Ransomware...ac.exe
windows7-x64
Ransomware...ac.exe
windows10-2004-x64
1BadRabbit.exe
windows7-x64
10BadRabbit.exe
windows10-2004-x64
10Ransomware...it.exe
windows7-x64
10Ransomware...it.exe
windows10-2004-x64
10tunamor.exe
windows7-x64
tunamor.exe
windows10-2004-x64
Ransomware...or.exe
windows7-x64
Ransomware...or.exe
windows10-2004-x64
XMoon.exe
windows7-x64
10XMoon.exe
windows10-2004-x64
7Ransomware...on.exe
windows7-x64
10Ransomware...on.exe
windows10-2004-x64
7GoldenEye.exe
windows7-x64
10GoldenEye.exe
windows10-2004-x64
10GoldenEye.js
windows7-x64
10GoldenEye.js
windows10-2004-x64
10Ransomware...ye.exe
windows7-x64
10Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows7-x64
10Ransomware...Eye.js
windows10-2004-x64
10NotPetya.exe
windows7-x64
10NotPetya.exe
windows10-2004-x64
10Ransomware...ya.exe
windows7-x64
10Ransomware...ya.exe
windows10-2004-x64
10Ransomware...om.exe
windows7-x64
1Ransomware...om.exe
windows10-2004-x64
1Ransomware...om.exe
windows7-x64
6Ransomware...om.exe
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 20:13
Behavioral task
behavioral1
Sample
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
tunamor.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
tunamor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
XMoon.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
XMoon.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Ransomware/Monster Ransomware/XMoon.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Ransomware/Monster Ransomware/XMoon.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
GoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
GoldenEye.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
NotPetya.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
NotPetya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Ransomware/Trojan.Ransom.NotPetya/NotPetya.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Ransomware/Trojan.Ransom.NotPetya/NotPetya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.exe
Resource
win10v2004-20240226-en
General
-
Target
XMoon.exe
-
Size
669KB
-
MD5
a690cce59e21f5198ca304243b084f9e
-
SHA1
8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
-
SHA256
ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
-
SHA512
9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758
-
SSDEEP
12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation XMoon.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroCop.lnk XMoon.exe -
resource yara_rule behavioral14/memory/3644-0-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-179-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-180-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-181-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-182-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-183-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-184-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-186-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-187-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-188-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-189-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-190-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-191-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-192-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral14/memory/3644-193-0x0000000000400000-0x0000000000506000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: XMoon.exe File opened (read-only) \??\j: XMoon.exe File opened (read-only) \??\k: XMoon.exe File opened (read-only) \??\n: XMoon.exe File opened (read-only) \??\o: XMoon.exe File opened (read-only) \??\q: XMoon.exe File opened (read-only) \??\s: XMoon.exe File opened (read-only) \??\x: XMoon.exe File opened (read-only) \??\z: XMoon.exe File opened (read-only) \??\b: XMoon.exe File opened (read-only) \??\g: XMoon.exe File opened (read-only) \??\m: XMoon.exe File opened (read-only) \??\p: XMoon.exe File opened (read-only) \??\y: XMoon.exe File opened (read-only) \??\e: XMoon.exe File opened (read-only) \??\r: XMoon.exe File opened (read-only) \??\w: XMoon.exe File opened (read-only) \??\a: XMoon.exe File opened (read-only) \??\h: XMoon.exe File opened (read-only) \??\l: XMoon.exe File opened (read-only) \??\t: XMoon.exe File opened (read-only) \??\u: XMoon.exe File opened (read-only) \??\v: XMoon.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral14/memory/3644-179-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-180-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-181-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-182-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-183-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-184-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-186-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-187-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-188-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-189-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-190-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-191-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-192-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral14/memory/3644-193-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" XMoon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop XMoon.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings XMoon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe 3644 XMoon.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3644 wrote to memory of 4836 3644 XMoon.exe 92 PID 3644 wrote to memory of 4836 3644 XMoon.exe 92 PID 4836 wrote to memory of 4624 4836 cmd.exe 94 PID 4836 wrote to memory of 4624 4836 cmd.exe 94 PID 3644 wrote to memory of 4208 3644 XMoon.exe 96 PID 3644 wrote to memory of 4208 3644 XMoon.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\XMoon.exe"C:\Users\Admin\AppData\Local\Temp\XMoon.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\system32\wusa.exewusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\3⤵PID:4624
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"2⤵PID:4208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD58cfa6b4acd035a2651291a2a4623b1c7
SHA143571537bf2ce9f8e8089fadcbf876eaf4cf3ae9
SHA2566e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9
SHA512e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685
-
Filesize
280B
MD58be57121a3ecae9c90cce4adf00f2454
SHA1aca585c1b6409bc2475f011a436b319e42b356d8
SHA25635d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e
SHA51285521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72
-
Filesize
47KB
MD59dda4db9e90ff039ad5a58785b9d626d
SHA1507730d87b32541886ec1dd77f3459fa7bf1e973
SHA256fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe
SHA5124cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a
-
Filesize
119KB
MD5bb86481ac1a7d726c358b6feed070d4e
SHA10f863774a54ad7cf8bbe2ec6790bec5f89a4c901
SHA256be9af97d373820186e6493ec85f051091ed8f813602a999832754621403b280e
SHA512b1c249f6448bdfee90eaeddd77fb38c45f085a8a51f81defe9313c56111cb1360a95a453cdafa363f976b2bc26cadf48dc098ddc69a928cb09ea5bbd00b33417