Overview
overview
10Static
static
7Windows/000.exe
windows7-x64
Windows/000.exe
windows10-2004-x64
Windows/BUG32.exe
windows7-x64
Windows/BUG32.exe
windows10-2004-x64
Windows/Bonzify.exe
windows7-x64
8Windows/Bonzify.exe
windows10-2004-x64
8Windows/Em...99.exe
windows7-x64
5Windows/Em...99.exe
windows10-2004-x64
5Windows/Em...tr.exe
windows7-x64
1Windows/Em...tr.exe
windows10-2004-x64
1Windows/Em...al.exe
windows7-x64
5Windows/Em...al.exe
windows10-2004-x64
5Windows/Em...en.exe
windows7-x64
1Windows/Em...en.exe
windows10-2004-x64
1Windows/Em...hu.exe
windows7-x64
5Windows/Em...hu.exe
windows10-2004-x64
1Windows/Fa...ye.exe
windows7-x64
6Windows/Fa...ye.exe
windows10-2004-x64
6Windows/PC...er.exe
windows7-x64
1Windows/PC...er.exe
windows10-2004-x64
7Windows/Ra...ac.exe
windows7-x64
10Windows/Ra...ac.exe
windows10-2004-x64
Windows/Ra...it.exe
windows7-x64
10Windows/Ra...it.exe
windows10-2004-x64
10Windows/Ra...or.exe
windows7-x64
Windows/Ra...or.exe
windows10-2004-x64
Windows/Ra...on.exe
windows7-x64
10Windows/Ra...on.exe
windows10-2004-x64
7Windows/Ra...ye.exe
windows7-x64
10Windows/Ra...ye.exe
windows10-2004-x64
10Windows/Ra...Eye.js
windows7-x64
10Windows/Ra...Eye.js
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 23:01
Behavioral task
behavioral1
Sample
Windows/000.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Windows/000.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Windows/BUG32.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Windows/BUG32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Windows/Bonzify.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Windows/Bonzify.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Windows/Email-Worm/Email-Worm.Win32.Happy99/Happy99.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Windows/Email-Worm/Email-Worm.Win32.Happy99/Happy99.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Windows/Email-Worm/Email-Worm.Win32.Magistr/Magistr.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
Windows/Email-Worm/Email-Worm.Win32.Magistr/Magistr.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
Windows/Email-Worm/Email-Worm.Win32.Maldal/Maldal.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Windows/Email-Worm/Email-Worm.Win32.Maldal/Maldal.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Windows/Email-Worm/Email-Worm.Win32.MeltingScreen/MeltingScreen.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Windows/Email-Worm/Email-Worm.Win32.MeltingScreen/MeltingScreen.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Windows/Email-Worm/Email-Worm.Win32.Pikachu/Pikachu.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Windows/Email-Worm/Email-Worm.Win32.Pikachu/Pikachu.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Windows/Fake GoldenEye/FakeGoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows/Fake GoldenEye/FakeGoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Windows/PCToaster/PCToaster.exe
Resource
win7-20240215-en
Behavioral task
behavioral20
Sample
Windows/PCToaster/PCToaster.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Windows/Ransomware/Monster Ransomware/XMoon.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Windows/Ransomware/Monster Ransomware/XMoon.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
General
-
Target
Windows/Ransomware/Monster Ransomware/XMoon.exe
-
Size
669KB
-
MD5
a690cce59e21f5198ca304243b084f9e
-
SHA1
8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
-
SHA256
ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
-
SHA512
9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758
-
SSDEEP
12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation XMoon.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroCop.lnk XMoon.exe -
resource yara_rule behavioral28/memory/2144-0-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-184-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-185-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-186-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-187-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-188-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-189-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-191-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-192-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-193-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-194-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-195-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-196-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-197-0x0000000000400000-0x0000000000506000-memory.dmp upx behavioral28/memory/2144-198-0x0000000000400000-0x0000000000506000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: XMoon.exe File opened (read-only) \??\j: XMoon.exe File opened (read-only) \??\k: XMoon.exe File opened (read-only) \??\l: XMoon.exe File opened (read-only) \??\m: XMoon.exe File opened (read-only) \??\u: XMoon.exe File opened (read-only) \??\b: XMoon.exe File opened (read-only) \??\h: XMoon.exe File opened (read-only) \??\o: XMoon.exe File opened (read-only) \??\p: XMoon.exe File opened (read-only) \??\w: XMoon.exe File opened (read-only) \??\x: XMoon.exe File opened (read-only) \??\y: XMoon.exe File opened (read-only) \??\z: XMoon.exe File opened (read-only) \??\e: XMoon.exe File opened (read-only) \??\n: XMoon.exe File opened (read-only) \??\q: XMoon.exe File opened (read-only) \??\s: XMoon.exe File opened (read-only) \??\g: XMoon.exe File opened (read-only) \??\r: XMoon.exe File opened (read-only) \??\t: XMoon.exe File opened (read-only) \??\v: XMoon.exe File opened (read-only) \??\a: XMoon.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral28/memory/2144-184-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-185-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-186-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-187-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-188-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-189-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-191-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-192-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-193-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-194-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-195-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-196-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-197-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe behavioral28/memory/2144-198-0x0000000000400000-0x0000000000506000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" XMoon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop XMoon.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings XMoon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe 2144 XMoon.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2288 2144 XMoon.exe 85 PID 2144 wrote to memory of 2288 2144 XMoon.exe 85 PID 2288 wrote to memory of 432 2288 cmd.exe 87 PID 2288 wrote to memory of 432 2288 cmd.exe 87 PID 2144 wrote to memory of 4752 2144 XMoon.exe 88 PID 2144 wrote to memory of 4752 2144 XMoon.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe"C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware\XMoon.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\wusa.exewusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\3⤵PID:432
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"2⤵PID:4752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD58cfa6b4acd035a2651291a2a4623b1c7
SHA143571537bf2ce9f8e8089fadcbf876eaf4cf3ae9
SHA2566e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9
SHA512e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685
-
Filesize
280B
MD58be57121a3ecae9c90cce4adf00f2454
SHA1aca585c1b6409bc2475f011a436b319e42b356d8
SHA25635d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e
SHA51285521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72
-
Filesize
47KB
MD59dda4db9e90ff039ad5a58785b9d626d
SHA1507730d87b32541886ec1dd77f3459fa7bf1e973
SHA256fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe
SHA5124cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a
-
Filesize
119KB
MD5bb86481ac1a7d726c358b6feed070d4e
SHA10f863774a54ad7cf8bbe2ec6790bec5f89a4c901
SHA256be9af97d373820186e6493ec85f051091ed8f813602a999832754621403b280e
SHA512b1c249f6448bdfee90eaeddd77fb38c45f085a8a51f81defe9313c56111cb1360a95a453cdafa363f976b2bc26cadf48dc098ddc69a928cb09ea5bbd00b33417