Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 19:09
Behavioral task
behavioral1
Sample
moon.exe
Resource
win10v2004-20241007-en
General
-
Target
moon.exe
-
Size
423KB
-
MD5
b1c7d8102bcab505d2fdec27282767f3
-
SHA1
4f3496b126eabcd57335e2a315d59bdd2e043c89
-
SHA256
010b6fa39f761c1444233c206b2c4434428a75ff9d0583bcb84b12e2804340db
-
SHA512
c1da6810dbcf11b582f80820f55279258a5779eb420ec5a19b9da04a3d90dc37febb841e50d54be55b2fc447d77fd8f775a1e6f5ac7e8e10acb35bbbf8ce6748
-
SSDEEP
6144:YeghbOV4Asvo/Z+wo6TmTIHnqgKIuTi5gTaWnLLDt1dbWAOaKapXFWbcFSU:YeKbOV4A3ho9IKNti5gT/wUzzWTU
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language moon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language moon.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2284 taskmgr.exe Token: SeSystemProfilePrivilege 2284 taskmgr.exe Token: SeCreateGlobalPrivilege 2284 taskmgr.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe 2284 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\moon.exe"C:\Users\Admin\AppData\Local\Temp\moon.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3472
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\moon.exe"C:\Users\Admin\AppData\Local\Temp\moon.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4236
-
C:\Users\Admin\AppData\Local\Temp\moon.exe"C:\Users\Admin\AppData\Local\Temp\moon.exe"1⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\moon.exe"C:\Users\Admin\AppData\Local\Temp\moon.exe"1⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\moon.exe"C:\Users\Admin\AppData\Local\Temp\moon.exe"1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\moon.exe"C:\Users\Admin\AppData\Local\Temp\moon.exe"1⤵PID:4792
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284