Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

luna-1.6.8.zip

windows7-x64

3

luna-1.6.8.zip

windows10-2004-x64

10

luna-1.6.8...er.zip

windows7-x64

1

luna-1.6.8...er.zip

windows10-2004-x64

1

Luna/Bootstrapper.exe

windows7-x64

1

Luna/Bootstrapper.exe

windows10-2004-x64

1

luna-1.6.8...g.json

windows7-x64

3

luna-1.6.8...g.json

windows10-2004-x64

3

luna-1.6.8/hash.txt

windows7-x64

1

luna-1.6.8/hash.txt

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    luna-1.6.8.zip

  • Size

    5.5MB

  • Sample

    250204-stwlqs1rar

  • MD5

    24fea6dd585a009c3ff441760beae097

  • SHA1

    1920784c67ed8d49b611842b9643000aa0d8752c

  • SHA256

    0359c34efaf6025a0dec1cf80b5bcbb9b20517be4bca8945af0391049ed2c134

  • SHA512

    8f060951722ae1420812a36f12d64ded40de1797fdde3ac1591e143d9b3233174996cad0405eda36f3fc410e1abeb791d36a3a437bda2afcf4aaf1a2379f6f6a

  • SSDEEP

    98304:gUZug/1mvXA/eiMVm7TZJ4xpQCQqoInFaGZV++7n0hTMuymld03bD0D1fd9kRUAU:FogNEziam71IpQgzF/ZE+7n4t1A330Dz

Score
10/10
infinitylockwannacryadwaremicrosoftdefense_evasiondiscoveryexecutionimpactpersistencephishingprivilege_escalationransomwarespywarestealertrojanworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Extracted

Path

C:\Users\Admin\Downloads\r.wry

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send %s to this bitcoin address: %s Next, please find the decrypt software on your desktop, an executable file named "%s". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) %s rar password: wcry123 Run and follow the instructions!

Targets

    • Target

      luna-1.6.8.zip

    • Size

      5.5MB

    • MD5

      24fea6dd585a009c3ff441760beae097

    • SHA1

      1920784c67ed8d49b611842b9643000aa0d8752c

    • SHA256

      0359c34efaf6025a0dec1cf80b5bcbb9b20517be4bca8945af0391049ed2c134

    • SHA512

      8f060951722ae1420812a36f12d64ded40de1797fdde3ac1591e143d9b3233174996cad0405eda36f3fc410e1abeb791d36a3a437bda2afcf4aaf1a2379f6f6a

    • SSDEEP

      98304:gUZug/1mvXA/eiMVm7TZJ4xpQCQqoInFaGZV++7n0hTMuymld03bD0D1fd9kRUAU:FogNEziam71IpQgzF/ZE+7n4t1A330Dz

    Score
    10/10
    discoveryinfinitylockwannacrymicrosoftdefense_evasionexecutionimpactpersistencephishingransomwarespywarestealerworm

    • InfinityLock Ransomware

      Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

      ransomwareinfinitylock

    • Infinitylock family

      infinitylock

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand MICROSOFT.

      phishingmicrosoft

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

    • Target

      luna-1.6.8/Bootstrapper.zip

    • Size

      5.5MB

    • MD5

      9ba94ac44294258328b5b23e6fbcaf4a

    • SHA1

      3ef50da71c5800f02680733b184bb11bb0ca309b

    • SHA256

      a9e76b770fb8a61f793a61ca6701e1f76ea95282d5a3647d8dfccf1b560f401a

    • SHA512

      52e3118e8e40d621275d0ce3157138bb0e9a4d56c1c570666930de60e46e8050af8e0c377aea2e5ccee2ff78c427576bd4954226a0f800eac6cabbaa70f267ce

    • SSDEEP

      98304:HUxBxVYLNchCiExF8pIV/hIy3D25GmoQ5ReIpL6Xh+SC+rnM/BnspjhlvkHeBA:0/biriUei/+boQ5EIpLoznI/tsp1lsHr

    Score
    1/10
    behavioral3behavioral4

    • Target

      Luna/Bootstrapper.exe

    • Size

      9.4MB

    • MD5

      f2a6133b7f38fc49f792ae799d1b4750

    • SHA1

      6bef46ddde325f45a0e9ff123112c96bbd47c795

    • SHA256

      37bde6655e1272e159b9c2e3a7eee3f4e9a837c0f04240645d3991d112287f8d

    • SHA512

      f9611bed83b4bce1841868880a42dacb6b8f7e8859be1d85b3c8d3a365a0244566cbfb12294c7b2c82b15d6c0e47095d8246a95d522c3a064a0d8511b2411254

    • SSDEEP

      98304:UHuETr54/xXEPmZM8l2EKSxOyFOiC0YYWtS7tkk6Q9SFxVLUeRF:2pIxXoSTlzdFfCtlIZ/9iZX

    Score
    1/10
    behavioral5behavioral6

    • Target

      luna-1.6.8/config.json

    • Size

      127B

    • MD5

      7fd96c6b742155f97e726cc3cd30659b

    • SHA1

      ce5a0469f6eced916931de46fa65b2efd7b7318c

    • SHA256

      1d5786aa530af255c9e5267e3637db5898953c849a1be1250eba156823e84a10

    • SHA512

      905505bff84af6370ff235ce2e49752320e2f62081981098011c672da2225f736d07410a5fdd37ca4133cb1ad1dd0547e8b5c0125698964186e02df3ad1a8434

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      luna-1.6.8/hash.txt

    • Size

      66B

    • MD5

      663c32ed37147c98b24dcbd7219d3d34

    • SHA1

      d5d4db10a72908522dd2977974e119f637b3e39b

    • SHA256

      0e19a151b264885cdc2cb427e4c4acd296e7a184b380e3302d1eb2bf099c3d92

    • SHA512

      784910780e05398e5a5bfcc8d11e190a1537a9f61b7b95beefc72137a77fbbf0f2e4a6e2b1fd49aeb9108318b83dbceb725e980cf7be686c42cb93eb51f6f091

    Score
    8/10
    adwaredefense_evasiondiscoverypersistenceprivilege_escalationstealertrojan

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

7
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Tasks