e3b738d063a721f7fbc486125d6ff34e238f1f1ff5561af2b6db80eec5ae5654

General

Target

DarkMoon_Gen_1-3/lib/main.exe
Size

340KB
MD5

f3c021dbce0cd670f15415c3aa6b83aa
SHA1

433842e6529c6df685da1317bfd69d2ea0c85cca
SHA256

c147148fa809e238efc3e60b2ed129a93f11694b31d194f7347ddfbb6b82ba20
SHA512

5690f12b45819cf28dfc350d3e362f172f1f589b9614b639f995e1bb56ea8fcb87b3058323998f33dd3637b48f00d596c63866cfde7172a3ac664fac110a6f66
SSDEEP

3072:eahKyd2n3175Ctbq6rw3VScvNSAh8CndDOMrt1nW:eahOql+UcsMra

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

main.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

13 discord.com

flow	ioc
13	discord.com

Delays execution with timeout.exe 13 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5828	timeout.exe
5612	timeout.exe
4420	timeout.exe
4016	timeout.exe
4092	timeout.exe
1696	timeout.exe
5304	timeout.exe
5628	timeout.exe
5616	timeout.exe
2904	timeout.exe
2832	timeout.exe
1416	timeout.exe
2020	timeout.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
372	PING.EXE
1128	PING.EXE
4212	PING.EXE
4708	PING.EXE
680	PING.EXE
4584	PING.EXE
5440	PING.EXE
2676	PING.EXE
4232	PING.EXE
960	PING.EXE
3692	PING.EXE
1688	PING.EXE
5232	PING.EXE
4344	PING.EXE
3744	PING.EXE
5124	PING.EXE
5504	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

main.execmd.exe

description	pid	process	target process
PID 5288 wrote to memory of 448	5288	main.exe	cmd.exe
PID 5288 wrote to memory of 448	5288	main.exe	cmd.exe
PID 448 wrote to memory of 5104	448	cmd.exe	chcp.com
PID 448 wrote to memory of 5104	448	cmd.exe	chcp.com
PID 448 wrote to memory of 4016	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 4016	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 5124	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5124	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4232	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4232	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 960	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 960	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 1688	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 1688	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 680	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 680	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5504	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5504	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5232	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5232	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4584	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4584	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4344	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4344	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5828	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 5828	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 4212	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4212	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4092	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 4092	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 4708	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4708	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5616	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 5616	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 5440	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5440	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 2904	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 2904	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 2676	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 2676	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5612	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 5612	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 3692	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 3692	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 1696	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 1696	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 372	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 372	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 4420	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 4420	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 1128	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 1128	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5304	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 5304	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 2832	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 2832	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 1416	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 1416	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 2020	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 2020	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 3744	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 3744	448	cmd.exe	PING.EXE
PID 448 wrote to memory of 5628	448	cmd.exe	timeout.exe
PID 448 wrote to memory of 5628	448	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\main.exe
"C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\main.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5288

C:\Windows\SYSTEM32\cmd.exe
cmd /c "Dark Moon gen.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:5104

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:4016

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:5124

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4232

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:960

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1688

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:680

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:5504

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:5232

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4584

C:\Windows\system32\PING.EXE
ping discord.com
3⤵
- Runs ping.exe
PID:4344

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:5828

C:\Windows\system32\PING.EXE
ping www.paysafecard.com
3⤵
- Runs ping.exe
PID:4212

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:4092

C:\Windows\system32\PING.EXE
ping www.amazon.com
3⤵
- Runs ping.exe
PID:4708

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:5616

C:\Windows\system32\PING.EXE
ping play.google.com
3⤵
- Runs ping.exe
PID:5440

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:2904

C:\Windows\system32\PING.EXE
ping store.steampowered.com
3⤵
- Runs ping.exe
PID:2676

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:5612

C:\Windows\system32\PING.EXE
ping netflix.com
3⤵
- Runs ping.exe
PID:3692

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:1696

C:\Windows\system32\PING.EXE
ping www.spotify.com
3⤵
- Runs ping.exe
PID:372

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:4420

C:\Windows\system32\PING.EXE
ping www.xbox.com
3⤵
- Runs ping.exe
PID:1128

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:5304

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2832

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1416

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2020

C:\Windows\system32\PING.EXE
ping www.google.com
3⤵
- Runs ping.exe
PID:3744

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:5628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.bat
Filesize
35KB

MD5
c153581143e0b72cecae38a393991a4b

SHA1
da43d03b19765594ff124415a060551343823a39

SHA256
2fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005

SHA512
8c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads