Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 15:40

General

  • Target

    darkmoon v2/lib/DarkMoon_Gen.exe

  • Size

    340KB

  • MD5

    f3c021dbce0cd670f15415c3aa6b83aa

  • SHA1

    433842e6529c6df685da1317bfd69d2ea0c85cca

  • SHA256

    c147148fa809e238efc3e60b2ed129a93f11694b31d194f7347ddfbb6b82ba20

  • SHA512

    5690f12b45819cf28dfc350d3e362f172f1f589b9614b639f995e1bb56ea8fcb87b3058323998f33dd3637b48f00d596c63866cfde7172a3ac664fac110a6f66

  • SSDEEP

    3072:eahKyd2n3175Ctbq6rw3VScvNSAh8CndDOMrt1nW:eahOql+UcsMra

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Delays execution with timeout.exe 13 IoCs
  • Runs ping.exe 1 TTPs 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\DarkMoon_Gen.exe
    "C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\DarkMoon_Gen.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "Dark Moon gen.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4536
        • C:\Windows\system32\timeout.exe
          timeout 2
          3⤵
          • Delays execution with timeout.exe
          PID:4840
        • C:\Windows\system32\PING.EXE
          ping localhost -n 1
          3⤵
          • Runs ping.exe
          PID:4924
        • C:\Windows\system32\PING.EXE
          ping localhost -n 1
          3⤵
          • Runs ping.exe
          PID:4132
        • C:\Windows\system32\PING.EXE
          ping localhost -n 1
          3⤵
          • Runs ping.exe
          PID:3464
        • C:\Windows\system32\PING.EXE
          ping localhost -n 1
          3⤵
          • Runs ping.exe
          PID:5024
        • C:\Windows\system32\PING.EXE
          ping localhost -n 1
          3⤵
          • Runs ping.exe
          PID:4976
        • C:\Windows\system32\PING.EXE
          ping localhost -n 1
          3⤵
          • Runs ping.exe
          PID:2888
        • C:\Windows\system32\PING.EXE
          ping localhost -n 1
          3⤵
          • Runs ping.exe
          PID:3020
        • C:\Windows\system32\PING.EXE
          ping localhost -n 1
          3⤵
          • Runs ping.exe
          PID:3184
        • C:\Windows\system32\PING.EXE
          ping discord.com
          3⤵
          • Runs ping.exe
          PID:3460
        • C:\Windows\system32\timeout.exe
          timeout 0
          3⤵
          • Delays execution with timeout.exe
          PID:452
        • C:\Windows\system32\PING.EXE
          ping www.paysafecard.com
          3⤵
          • Runs ping.exe
          PID:2224
        • C:\Windows\system32\timeout.exe
          timeout 0
          3⤵
          • Delays execution with timeout.exe
          PID:1432
        • C:\Windows\system32\PING.EXE
          ping www.amazon.com
          3⤵
          • Runs ping.exe
          PID:4920
        • C:\Windows\system32\timeout.exe
          timeout 0
          3⤵
          • Delays execution with timeout.exe
          PID:2200
        • C:\Windows\system32\PING.EXE
          ping play.google.com
          3⤵
          • Runs ping.exe
          PID:640
        • C:\Windows\system32\timeout.exe
          timeout 0
          3⤵
          • Delays execution with timeout.exe
          PID:3500
        • C:\Windows\system32\PING.EXE
          ping store.steampowered.com
          3⤵
          • Runs ping.exe
          PID:2168
        • C:\Windows\system32\timeout.exe
          timeout 0
          3⤵
          • Delays execution with timeout.exe
          PID:656
        • C:\Windows\system32\PING.EXE
          ping netflix.com
          3⤵
          • Runs ping.exe
          PID:2112
        • C:\Windows\system32\timeout.exe
          timeout 0
          3⤵
          • Delays execution with timeout.exe
          PID:1364
        • C:\Windows\system32\PING.EXE
          ping www.spotify.com
          3⤵
          • Runs ping.exe
          PID:1188
        • C:\Windows\system32\timeout.exe
          timeout 0
          3⤵
          • Delays execution with timeout.exe
          PID:2712
        • C:\Windows\system32\PING.EXE
          ping www.xbox.com
          3⤵
          • Runs ping.exe
          PID:2896
        • C:\Windows\system32\timeout.exe
          timeout 0
          3⤵
          • Delays execution with timeout.exe
          PID:820
        • C:\Windows\system32\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:1256
        • C:\Windows\system32\timeout.exe
          timeout 2
          3⤵
          • Delays execution with timeout.exe
          PID:4828
        • C:\Windows\system32\timeout.exe
          timeout 2
          3⤵
          • Delays execution with timeout.exe
          PID:4104
        • C:\Windows\system32\PING.EXE
          ping www.google.com
          3⤵
          • Runs ping.exe
          PID:4248
        • C:\Windows\system32\timeout.exe
          timeout 2
          3⤵
          • Delays execution with timeout.exe
          PID:4468

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    Remote System Discovery

    1
    T1018

    Command and Control

    Web Service

    1
    T1102

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.bat
      Filesize

      35KB

      MD5

      c153581143e0b72cecae38a393991a4b

      SHA1

      da43d03b19765594ff124415a060551343823a39

      SHA256

      2fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005

      SHA512

      8c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f