2a6a28e5ec050a9039d62bf2cd0075df7324ebb9e3c9130ca417c8381796445e

General

Target

darkmoon v2/lib/DarkMoon_Gen.exe
Size

340KB
MD5

f3c021dbce0cd670f15415c3aa6b83aa
SHA1

433842e6529c6df685da1317bfd69d2ea0c85cca
SHA256

c147148fa809e238efc3e60b2ed129a93f11694b31d194f7347ddfbb6b82ba20
SHA512

5690f12b45819cf28dfc350d3e362f172f1f589b9614b639f995e1bb56ea8fcb87b3058323998f33dd3637b48f00d596c63866cfde7172a3ac664fac110a6f66
SSDEEP

3072:eahKyd2n3175Ctbq6rw3VScvNSAh8CndDOMrt1nW:eahOql+UcsMra

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DarkMoon_Gen.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DarkMoon_Gen.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

12 discord.com

flow	ioc
12	discord.com

Delays execution with timeout.exe 13 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1560	timeout.exe
2088	timeout.exe
4568	timeout.exe
3564	timeout.exe
2560	timeout.exe
2076	timeout.exe
2056	timeout.exe
1540	timeout.exe
4284	timeout.exe
1888	timeout.exe
1632	timeout.exe
4548	timeout.exe
3596	timeout.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4872	PING.EXE
2572	PING.EXE
396	PING.EXE
4304	PING.EXE
3392	PING.EXE
1156	PING.EXE
724	PING.EXE
1768	PING.EXE
5072	PING.EXE
1416	PING.EXE
1620	PING.EXE
3492	PING.EXE
1000	PING.EXE
1508	PING.EXE
1832	PING.EXE
864	PING.EXE
1948	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DarkMoon_Gen.execmd.exe

description	pid	process	target process
PID 4016 wrote to memory of 2648	4016	DarkMoon_Gen.exe	cmd.exe
PID 4016 wrote to memory of 2648	4016	DarkMoon_Gen.exe	cmd.exe
PID 2648 wrote to memory of 2116	2648	cmd.exe	chcp.com
PID 2648 wrote to memory of 2116	2648	cmd.exe	chcp.com
PID 2648 wrote to memory of 2076	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2076	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 724	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 724	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1000	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1000	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1508	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1508	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1832	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1832	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 5072	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 5072	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1768	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1768	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 864	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 864	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 4872	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 4872	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1948	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1948	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 3596	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 3596	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1416	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1416	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 4548	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 4548	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2572	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 2572	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1540	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1540	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 396	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 396	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1560	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1560	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 4304	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 4304	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 2088	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2088	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1620	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1620	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 4568	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 4568	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 3392	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 3392	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1632	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1632	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 3492	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 3492	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 4284	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 4284	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 3564	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 3564	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1888	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1888	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2560	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2560	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 1156	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 1156	2648	cmd.exe	PING.EXE
PID 2648 wrote to memory of 2056	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2056	2648	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\DarkMoon_Gen.exe
"C:\Users\Admin\AppData\Local\Temp\darkmoon v2\lib\DarkMoon_Gen.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SYSTEM32\cmd.exe
cmd /c "Dark Moon gen.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2116

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2076

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:724

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1000

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1508

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1832

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:5072

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:1768

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:864

C:\Windows\system32\PING.EXE
ping localhost -n 1
3⤵
- Runs ping.exe
PID:4872

C:\Windows\system32\PING.EXE
ping discord.com
3⤵
- Runs ping.exe
PID:1948

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:3596

C:\Windows\system32\PING.EXE
ping www.paysafecard.com
3⤵
- Runs ping.exe
PID:1416

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:4548

C:\Windows\system32\PING.EXE
ping www.amazon.com
3⤵
- Runs ping.exe
PID:2572

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:1540

C:\Windows\system32\PING.EXE
ping play.google.com
3⤵
- Runs ping.exe
PID:396

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:1560

C:\Windows\system32\PING.EXE
ping store.steampowered.com
3⤵
- Runs ping.exe
PID:4304

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:2088

C:\Windows\system32\PING.EXE
ping netflix.com
3⤵
- Runs ping.exe
PID:1620

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:4568

C:\Windows\system32\PING.EXE
ping www.spotify.com
3⤵
- Runs ping.exe
PID:3392

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:1632

C:\Windows\system32\PING.EXE
ping www.xbox.com
3⤵
- Runs ping.exe
PID:3492

C:\Windows\system32\timeout.exe
timeout 0
3⤵
- Delays execution with timeout.exe
PID:4284

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3564

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1888

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2560

C:\Windows\system32\PING.EXE
ping www.google.com
3⤵
- Runs ping.exe
PID:1156

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.bat
Filesize
35KB

MD5
c153581143e0b72cecae38a393991a4b

SHA1
da43d03b19765594ff124415a060551343823a39

SHA256
2fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005

SHA512
8c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads