Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 15:40
Static task
static1
Behavioral task
behavioral1
Sample
darkmoon v2/lib/AyBYMBjlvU.bat
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
darkmoon v2/lib/AyBYMBjlvU.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
darkmoon v2/lib/DarkMoon_Gen.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
darkmoon v2/start.bat
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
darkmoon v2/start.bat
Resource
win10v2004-20240508-en
General
-
Target
darkmoon v2/lib/DarkMoon_Gen.exe
-
Size
340KB
-
MD5
f3c021dbce0cd670f15415c3aa6b83aa
-
SHA1
433842e6529c6df685da1317bfd69d2ea0c85cca
-
SHA256
c147148fa809e238efc3e60b2ed129a93f11694b31d194f7347ddfbb6b82ba20
-
SHA512
5690f12b45819cf28dfc350d3e362f172f1f589b9614b639f995e1bb56ea8fcb87b3058323998f33dd3637b48f00d596c63866cfde7172a3ac664fac110a6f66
-
SSDEEP
3072:eahKyd2n3175Ctbq6rw3VScvNSAh8CndDOMrt1nW:eahOql+UcsMra
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DarkMoon_Gen.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" DarkMoon_Gen.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Delays execution with timeout.exe 13 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 452 timeout.exe 2712 timeout.exe 1364 timeout.exe 820 timeout.exe 4828 timeout.exe 4840 timeout.exe 1256 timeout.exe 4104 timeout.exe 4468 timeout.exe 1432 timeout.exe 2200 timeout.exe 3500 timeout.exe 656 timeout.exe -
Runs ping.exe 1 TTPs 17 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3460 PING.EXE 3464 PING.EXE 5024 PING.EXE 2888 PING.EXE 2224 PING.EXE 4920 PING.EXE 2896 PING.EXE 2168 PING.EXE 1188 PING.EXE 4248 PING.EXE 4924 PING.EXE 3020 PING.EXE 3184 PING.EXE 2112 PING.EXE 4132 PING.EXE 4976 PING.EXE 640 PING.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DarkMoon_Gen.execmd.exedescription pid process target process PID 4372 wrote to memory of 3496 4372 DarkMoon_Gen.exe cmd.exe PID 4372 wrote to memory of 3496 4372 DarkMoon_Gen.exe cmd.exe PID 3496 wrote to memory of 4536 3496 cmd.exe chcp.com PID 3496 wrote to memory of 4536 3496 cmd.exe chcp.com PID 3496 wrote to memory of 4840 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4840 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4924 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 4924 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 4132 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 4132 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3464 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3464 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 5024 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 5024 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 4976 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 4976 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 2888 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 2888 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3020 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3020 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3184 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3184 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3460 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3460 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 452 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 452 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 2224 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 2224 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 1432 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 1432 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4920 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 4920 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 2200 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 2200 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 640 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 640 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 3500 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 3500 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 2168 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 2168 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 656 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 656 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 2112 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 2112 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 1364 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 1364 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 1188 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 1188 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 2712 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 2712 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 2896 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 2896 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 820 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 820 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 1256 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 1256 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4828 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4828 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4104 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4104 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4248 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 4248 3496 cmd.exe PING.EXE PID 3496 wrote to memory of 4468 3496 cmd.exe timeout.exe PID 3496 wrote to memory of 4468 3496 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\DarkMoon_Gen.exe"C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\DarkMoon_Gen.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c "Dark Moon gen.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping localhost -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping discord.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.paysafecard.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.amazon.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping play.google.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping store.steampowered.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping netflix.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.spotify.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.xbox.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 03⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.google.com3⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.batFilesize
35KB
MD5c153581143e0b72cecae38a393991a4b
SHA1da43d03b19765594ff124415a060551343823a39
SHA2562fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005
SHA5128c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f