Analysis

  • max time kernel
    152s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2024 23:01

General

  • Target

    Windows/Ransomware/Monster Ransomware/XMoon.exe

  • Size

    669KB

  • MD5

    a690cce59e21f5198ca304243b084f9e

  • SHA1

    8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5

  • SHA256

    ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4

  • SHA512

    9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758

  • SSDEEP

    12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\system32\wusa.exe
        wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:2636
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\System32\migwiz\migwiz.exe
        "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\System32\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\32.cab

    Filesize

    47KB

    MD5

    9dda4db9e90ff039ad5a58785b9d626d

    SHA1

    507730d87b32541886ec1dd77f3459fa7bf1e973

    SHA256

    fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

    SHA512

    4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

  • C:\Users\Admin\AppData\Local\Temp\64.cab

    Filesize

    49KB

    MD5

    8cfa6b4acd035a2651291a2a4623b1c7

    SHA1

    43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

    SHA256

    6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

    SHA512

    e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

  • C:\Users\Admin\AppData\Local\Temp\888.vbs

    Filesize

    280B

    MD5

    8be57121a3ecae9c90cce4adf00f2454

    SHA1

    aca585c1b6409bc2475f011a436b319e42b356d8

    SHA256

    35d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e

    SHA512

    85521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72

  • C:\Users\Admin\AppData\Local\Temp\wl.jpg

    Filesize

    119KB

    MD5

    bb86481ac1a7d726c358b6feed070d4e

    SHA1

    0f863774a54ad7cf8bbe2ec6790bec5f89a4c901

    SHA256

    be9af97d373820186e6493ec85f051091ed8f813602a999832754621403b280e

    SHA512

    b1c249f6448bdfee90eaeddd77fb38c45f085a8a51f81defe9313c56111cb1360a95a453cdafa363f976b2bc26cadf48dc098ddc69a928cb09ea5bbd00b33417

  • C:\Windows\System32\migwiz\CRYPTBASE.dll

    Filesize

    106KB

    MD5

    1deeaa34fc153cffb989ab43aa2b0527

    SHA1

    7a58958483aa86d29cba8fc20566c770e1989953

    SHA256

    c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a

    SHA512

    abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86

  • \Users\Admin\AppData\Local\Temp\x.exe

    Filesize

    669KB

    MD5

    a690cce59e21f5198ca304243b084f9e

    SHA1

    8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5

    SHA256

    ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4

    SHA512

    9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758

  • memory/2192-193-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

    Filesize

    64KB

  • memory/2192-225-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-169-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-181-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-182-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-192-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-0-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-203-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-213-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-161-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

    Filesize

    64KB

  • memory/2192-235-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-245-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-255-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-267-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-277-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-287-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-297-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-309-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB