Overview
overview
10Static
static
7Windows/000.exe
windows7-x64
Windows/000.exe
windows10-2004-x64
Windows/BUG32.exe
windows7-x64
Windows/BUG32.exe
windows10-2004-x64
Windows/Bonzify.exe
windows7-x64
8Windows/Bonzify.exe
windows10-2004-x64
8Windows/Em...99.exe
windows7-x64
5Windows/Em...99.exe
windows10-2004-x64
5Windows/Em...tr.exe
windows7-x64
1Windows/Em...tr.exe
windows10-2004-x64
1Windows/Em...al.exe
windows7-x64
5Windows/Em...al.exe
windows10-2004-x64
5Windows/Em...en.exe
windows7-x64
1Windows/Em...en.exe
windows10-2004-x64
1Windows/Em...hu.exe
windows7-x64
5Windows/Em...hu.exe
windows10-2004-x64
1Windows/Fa...ye.exe
windows7-x64
6Windows/Fa...ye.exe
windows10-2004-x64
6Windows/PC...er.exe
windows7-x64
1Windows/PC...er.exe
windows10-2004-x64
7Windows/Ra...ac.exe
windows7-x64
10Windows/Ra...ac.exe
windows10-2004-x64
Windows/Ra...it.exe
windows7-x64
10Windows/Ra...it.exe
windows10-2004-x64
10Windows/Ra...or.exe
windows7-x64
Windows/Ra...or.exe
windows10-2004-x64
Windows/Ra...on.exe
windows7-x64
10Windows/Ra...on.exe
windows10-2004-x64
7Windows/Ra...ye.exe
windows7-x64
10Windows/Ra...ye.exe
windows10-2004-x64
10Windows/Ra...Eye.js
windows7-x64
10Windows/Ra...Eye.js
windows10-2004-x64
10Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 23:01
Behavioral task
behavioral1
Sample
Windows/000.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Windows/000.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Windows/BUG32.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Windows/BUG32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Windows/Bonzify.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Windows/Bonzify.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Windows/Email-Worm/Email-Worm.Win32.Happy99/Happy99.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Windows/Email-Worm/Email-Worm.Win32.Happy99/Happy99.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Windows/Email-Worm/Email-Worm.Win32.Magistr/Magistr.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
Windows/Email-Worm/Email-Worm.Win32.Magistr/Magistr.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
Windows/Email-Worm/Email-Worm.Win32.Maldal/Maldal.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Windows/Email-Worm/Email-Worm.Win32.Maldal/Maldal.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Windows/Email-Worm/Email-Worm.Win32.MeltingScreen/MeltingScreen.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Windows/Email-Worm/Email-Worm.Win32.MeltingScreen/MeltingScreen.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Windows/Email-Worm/Email-Worm.Win32.Pikachu/Pikachu.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Windows/Email-Worm/Email-Worm.Win32.Pikachu/Pikachu.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Windows/Fake GoldenEye/FakeGoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows/Fake GoldenEye/FakeGoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Windows/PCToaster/PCToaster.exe
Resource
win7-20240215-en
Behavioral task
behavioral20
Sample
Windows/PCToaster/PCToaster.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Windows/Ransomware/Monster Ransomware/XMoon.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Windows/Ransomware/Monster Ransomware/XMoon.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
General
-
Target
Windows/Ransomware/Monster Ransomware/XMoon.exe
-
Size
669KB
-
MD5
a690cce59e21f5198ca304243b084f9e
-
SHA1
8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
-
SHA256
ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
-
SHA512
9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758
-
SSDEEP
12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroCop.lnk XMoon.exe -
Loads dropped DLL 2 IoCs
pid Process 2676 migwiz.exe 2192 XMoon.exe -
resource yara_rule behavioral27/memory/2192-0-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/files/0x000600000001a463-159.dat upx behavioral27/memory/2192-169-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-181-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-182-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-192-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-203-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-213-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-225-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-235-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-245-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-255-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-267-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-277-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-287-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-297-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral27/memory/2192-309-0x0000000000400000-0x0000000000506000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: XMoon.exe File opened (read-only) \??\g: XMoon.exe File opened (read-only) \??\h: XMoon.exe File opened (read-only) \??\q: XMoon.exe File opened (read-only) \??\s: XMoon.exe File opened (read-only) \??\u: XMoon.exe File opened (read-only) \??\b: XMoon.exe File opened (read-only) \??\p: XMoon.exe File opened (read-only) \??\v: XMoon.exe File opened (read-only) \??\w: XMoon.exe File opened (read-only) \??\k: XMoon.exe File opened (read-only) \??\i: XMoon.exe File opened (read-only) \??\l: XMoon.exe File opened (read-only) \??\m: XMoon.exe File opened (read-only) \??\n: XMoon.exe File opened (read-only) \??\r: XMoon.exe File opened (read-only) \??\a: XMoon.exe File opened (read-only) \??\o: XMoon.exe File opened (read-only) \??\t: XMoon.exe File opened (read-only) \??\x: XMoon.exe File opened (read-only) \??\y: XMoon.exe File opened (read-only) \??\z: XMoon.exe File opened (read-only) \??\j: XMoon.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral27/memory/2192-169-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-181-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-182-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-192-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-203-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-213-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-225-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-235-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-245-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-255-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-267-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-277-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-287-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-297-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral27/memory/2192-309-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\migwiz\cryptbase.dll wusa.exe File opened for modification C:\Windows\system32\migwiz\$dpx$.tmp\job.xml wusa.exe File opened for modification C:\Windows\system32\migwiz\$dpx$.tmp wusa.exe File created C:\Windows\system32\migwiz\$dpx$.tmp\83bdf843987fa648990c3ca0cfbfc3d1.tmp wusa.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" XMoon.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\Logs\DPX\setupact.log wusa.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log wusa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop XMoon.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2888 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe 2192 XMoon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2676 migwiz.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2512 2192 XMoon.exe 28 PID 2192 wrote to memory of 2512 2192 XMoon.exe 28 PID 2192 wrote to memory of 2512 2192 XMoon.exe 28 PID 2192 wrote to memory of 2512 2192 XMoon.exe 28 PID 2512 wrote to memory of 2636 2512 cmd.exe 30 PID 2512 wrote to memory of 2636 2512 cmd.exe 30 PID 2512 wrote to memory of 2636 2512 cmd.exe 30 PID 2192 wrote to memory of 2064 2192 XMoon.exe 31 PID 2192 wrote to memory of 2064 2192 XMoon.exe 31 PID 2192 wrote to memory of 2064 2192 XMoon.exe 31 PID 2192 wrote to memory of 2064 2192 XMoon.exe 31 PID 2064 wrote to memory of 2676 2064 WScript.exe 32 PID 2064 wrote to memory of 2676 2064 WScript.exe 32 PID 2064 wrote to memory of 2676 2064 WScript.exe 32 PID 2676 wrote to memory of 2524 2676 migwiz.exe 33 PID 2676 wrote to memory of 2524 2676 migwiz.exe 33 PID 2676 wrote to memory of 2524 2676 migwiz.exe 33 PID 2524 wrote to memory of 2888 2524 cmd.exe 35 PID 2524 wrote to memory of 2888 2524 cmd.exe 35 PID 2524 wrote to memory of 2888 2524 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe"C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\wusa.exewusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2636
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\System32\migwiz\migwiz.exe"C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:2888
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD59dda4db9e90ff039ad5a58785b9d626d
SHA1507730d87b32541886ec1dd77f3459fa7bf1e973
SHA256fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe
SHA5124cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a
-
Filesize
49KB
MD58cfa6b4acd035a2651291a2a4623b1c7
SHA143571537bf2ce9f8e8089fadcbf876eaf4cf3ae9
SHA2566e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9
SHA512e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685
-
Filesize
280B
MD58be57121a3ecae9c90cce4adf00f2454
SHA1aca585c1b6409bc2475f011a436b319e42b356d8
SHA25635d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e
SHA51285521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72
-
Filesize
119KB
MD5bb86481ac1a7d726c358b6feed070d4e
SHA10f863774a54ad7cf8bbe2ec6790bec5f89a4c901
SHA256be9af97d373820186e6493ec85f051091ed8f813602a999832754621403b280e
SHA512b1c249f6448bdfee90eaeddd77fb38c45f085a8a51f81defe9313c56111cb1360a95a453cdafa363f976b2bc26cadf48dc098ddc69a928cb09ea5bbd00b33417
-
Filesize
106KB
MD51deeaa34fc153cffb989ab43aa2b0527
SHA17a58958483aa86d29cba8fc20566c770e1989953
SHA256c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a
SHA512abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86
-
Filesize
669KB
MD5a690cce59e21f5198ca304243b084f9e
SHA18aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
SHA256ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
SHA5129e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758