Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/10/2024, 21:38 UTC
241017-1hdksa1cml 303/09/2024, 13:46 UTC
240903-q3d2yazbmf 303/09/2024, 13:46 UTC
240903-q2zbgszblf 322/05/2024, 13:06 UTC
240522-qb91asce4s 308/05/2024, 20:44 UTC
240508-zh7m7aef4y 325/04/2024, 19:41 UTC
240425-yebkxadh96 824/04/2024, 20:10 UTC
240424-yx2j2sgg57 824/04/2024, 20:09 UTC
240424-yxmqwsgf71 324/04/2024, 20:03 UTC
240424-ysxejage8z 3Analysis
-
max time kernel
1517s -
max time network
1503s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/10/2024, 21:38 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Monoxide.aps
Resource
win11-20241007-en
General
-
Target
Monoxide.aps
-
Size
144KB
-
MD5
f7d3cae315be90f7dbfdff123067b6ef
-
SHA1
a565254c22714b5fa19f2a8e80f99a3e0dadeae1
-
SHA256
84de10c1d9a28efbe70d63bb127f23902cc9ebaf61effeede17085572d4878a3
-
SHA512
cc1b98aa943dd9b90efb676d2c9b16a8c099959d8cc3da58da8da870557f3a624515fc88f4b8bbac6ff6b98bb2a0311d893a66c1347817a75196d370981be755
-
SSDEEP
768:S5N5N5NSrpWeq6LOrrrzzzz7DDDHjjjIWbi9E3AAq/L9YO3Iz:S3336DWbi9E3AAqDI
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4648 OpenWith.exe
Processes
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdcus08.centralus.cloudapp.azure.comonedscolprdcus08.centralus.cloudapp.azure.comIN A104.208.16.88
-
Remote address:8.8.8.8:53Requestlogin.live.comIN AResponselogin.live.comIN CNAMElogin.msa.msidentity.comlogin.msa.msidentity.comIN CNAMEwww.tm.lg.prod.aadmsa.trafficmanager.netwww.tm.lg.prod.aadmsa.trafficmanager.netIN CNAMEprdv4a.aadg.msidentity.comprdv4a.aadg.msidentity.comIN CNAMEwww.tm.v4.a.prd.aadg.trafficmanager.netwww.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.74www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.68www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.72www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.134www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.138www.tm.v4.a.prd.aadg.trafficmanager.netIN A20.190.160.22www.tm.v4.a.prd.aadg.trafficmanager.netIN A40.126.32.136www.tm.v4.a.prd.aadg.trafficmanager.netIN A20.190.160.14
-
Remote address:8.8.8.8:53Requestocsp.digicert.comIN AResponseocsp.digicert.comIN CNAMEocsp.edge.digicert.comocsp.edge.digicert.comIN CNAMEfp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.2be4.phicdn.netIN CNAMEfp2e7a.wpc.phicdn.netfp2e7a.wpc.phicdn.netIN A192.229.221.95
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestarc.msn.comIN AResponsearc.msn.comIN CNAMEarc.trafficmanager.netarc.trafficmanager.netIN CNAMEiris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.comiris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.comIN A20.103.156.88
-
Remote address:8.8.8.8:53Requestris.api.iris.microsoft.comIN AResponseris.api.iris.microsoft.comIN CNAMEris-prod.trafficmanager.netris-prod.trafficmanager.netIN CNAMEasf-ris-prod-neu-azsc.northeurope.cloudapp.azure.comasf-ris-prod-neu-azsc.northeurope.cloudapp.azure.comIN A20.234.120.54
-
Remote address:8.8.8.8:53Request54.120.234.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEedge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comedge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN CNAMEdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A84.201.209.73default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A84.201.209.69default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A84.201.209.70default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A84.201.209.67default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A84.201.209.103default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A84.201.209.99
-
Remote address:8.8.8.8:53Request73.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestarc.msn.comIN AResponsearc.msn.comIN CNAMEarc.trafficmanager.netarc.trafficmanager.netIN CNAMEiris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.comiris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.comIN A20.103.156.88
-
Remote address:8.8.8.8:53Requestarc.msn.comIN AResponsearc.msn.comIN CNAMEarc.trafficmanager.netarc.trafficmanager.netIN CNAMEiris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.comiris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.comIN A20.223.35.26
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
1.6kB 7.3kB 17 15
-
1.6kB 7.3kB 17 15
-
1.6kB 7.3kB 17 15
-
110.9kB 3.2MB 2322 2317
-
1.6kB 7.3kB 17 15
-
478 B 950 B 7 5
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
self.events.data.microsoft.com
DNS Response
104.208.16.88
DNS Request
login.live.com
DNS Response
40.126.32.7440.126.32.6840.126.32.7240.126.32.13440.126.32.13820.190.160.2240.126.32.13620.190.160.14
DNS Request
ocsp.digicert.com
DNS Response
192.229.221.95
DNS Request
74.32.126.40.in-addr.arpa
DNS Request
74.32.126.40.in-addr.arpa
DNS Request
74.32.126.40.in-addr.arpa
-
210 B 133 B 3 1
DNS Request
83.210.23.2.in-addr.arpa
DNS Request
83.210.23.2.in-addr.arpa
DNS Request
83.210.23.2.in-addr.arpa
-
219 B 144 B 3 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
733 B 2.0kB 11 11
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
DNS Request
88.156.103.20.in-addr.arpa
DNS Request
10.28.171.150.in-addr.arpa
DNS Request
arc.msn.com
DNS Response
20.103.156.88
DNS Request
ris.api.iris.microsoft.com
DNS Response
20.234.120.54
DNS Request
54.120.234.20.in-addr.arpa
DNS Request
ctldl.windowsupdate.com
DNS Response
84.201.209.7384.201.209.6984.201.209.7084.201.209.6784.201.209.10384.201.209.99
DNS Request
73.209.201.84.in-addr.arpa
DNS Request
arc.msn.com
DNS Response
20.103.156.88
DNS Request
arc.msn.com
DNS Response
20.223.35.26
DNS Request
26.35.223.20.in-addr.arpa