blackmoon | 3e6f4538238d0c3c15b1495e2e7b60976259751cae711d4f3d6feeadaabad708

Analysis

max time kernel
131s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

12.4MB
MD5

423d1987255f7064cda2e41b60f4b95b
SHA1

eaa366d44a965def0c4a79a61745185376945529
SHA256

3e6f4538238d0c3c15b1495e2e7b60976259751cae711d4f3d6feeadaabad708
SHA512

c6557812bdfa459a19fb71693e78f950f009558de0fe5ef37ffeae81ee0a84c2856ed94f83813a33b98a1dd30d7e2b75436aff4a09af0fe1f4fd421fd3bbff9b
SSDEEP

196608:o3XTYQmknGzwHaOtVPHd9swFBubKLtchEYX2AxFpx4g1JoHZiDzDhpyT4t2:4ujzwV3BubKyeapug7ciDzDhpyTv

Score

10^/10

blackmoon mimikatz banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/2908-0-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon
behavioral1/memory/2908-4-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon
behavioral1/files/0x000700000002412a-6.dat	family_blackmoon
behavioral1/memory/2596-8-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/2908-0-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz
behavioral1/memory/2908-4-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz
behavioral1/files/0x000700000002412a-6.dat	mimikatz
behavioral1/memory/2596-8-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz

Executes dropped EXE 2 IoCs

pid	Process
2596	uyujkze.exe
4328	uyujkze.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	122	117.50.11.11	3344	nslookup.exe
Destination IP	129	208.67.220.220	3744	nslookup.exe
Destination IP	152	208.67.222.222	3844	nslookup.exe
Destination IP	165	117.50.11.11	2988	nslookup.exe
Destination IP	181	117.50.11.11	2332	nslookup.exe
Destination IP	30	117.50.11.11	3024	nslookup.exe
Destination IP	72	208.67.222.222	3340	nslookup.exe
Destination IP	124	117.50.22.22	3988	nslookup.exe
Destination IP	145	117.50.11.11	2056	nslookup.exe
Destination IP	153	208.67.222.222	3844	nslookup.exe
Destination IP	155	208.67.220.220	3776	nslookup.exe
Destination IP	189	117.50.22.22	3380	nslookup.exe
Destination IP	193	208.67.220.220	4412	nslookup.exe
Destination IP	41	117.50.22.22	5044	nslookup.exe
Destination IP	121	117.50.11.11	3344	nslookup.exe
Destination IP	125	117.50.22.22	3988	nslookup.exe
Destination IP	126	208.67.222.222	232	nslookup.exe
Destination IP	151	208.67.222.222	3844	nslookup.exe
Destination IP	186	117.50.22.22	3380	nslookup.exe
Destination IP	47	208.67.220.220	1572	nslookup.exe
Destination IP	71	208.67.222.222	3340	nslookup.exe
Destination IP	76	208.67.220.220	2352	nslookup.exe
Destination IP	88	117.50.11.11	736	nslookup.exe
Destination IP	131	208.67.220.220	3744	nslookup.exe
Destination IP	167	117.50.22.22	2708	nslookup.exe
Destination IP	45	208.67.222.222	5004	nslookup.exe
Destination IP	73	208.67.222.222	3340	nslookup.exe
Destination IP	164	117.50.11.11	2988	nslookup.exe
Destination IP	192	208.67.222.222	1052	nslookup.exe
Destination IP	208	117.50.11.11	4328	uyujkze.exe
Destination IP	210	117.50.22.22	4328	uyujkze.exe
Destination IP	43	208.67.222.222	5004	nslookup.exe
Destination IP	130	208.67.220.220	3744	nslookup.exe
Destination IP	149	117.50.22.22	4608	nslookup.exe
Destination IP	169	208.67.222.222	4264	nslookup.exe
Destination IP	191	208.67.222.222	1052	nslookup.exe
Destination IP	39	117.50.22.22	5044	nslookup.exe
Destination IP	147	117.50.11.11	2056	nslookup.exe
Destination IP	166	117.50.22.22	2708	nslookup.exe
Destination IP	206	117.50.11.11	4960	nslookup.exe
Destination IP	89	117.50.11.11	736	nslookup.exe
Destination IP	108	208.67.222.222	784	nslookup.exe
Destination IP	110	208.67.222.222	784	nslookup.exe
Destination IP	111	208.67.220.220	924	nslookup.exe
Destination IP	112	208.67.220.220	924	nslookup.exe
Destination IP	173	208.67.220.220	1412	nslookup.exe
Destination IP	182	117.50.11.11	2332	nslookup.exe
Destination IP	190	208.67.222.222	1052	nslookup.exe
Destination IP	33	117.50.11.11	3024	nslookup.exe
Destination IP	211	117.50.22.22	4328	uyujkze.exe
Destination IP	32	117.50.11.11	3024	nslookup.exe
Destination IP	57	117.50.11.11	2428	nslookup.exe
Destination IP	102	117.50.11.11	736	nslookup.exe
Destination IP	138	117.50.11.11	2056	nslookup.exe
Destination IP	183	117.50.11.11	2332	nslookup.exe
Destination IP	188	117.50.22.22	3380	nslookup.exe
Destination IP	209	117.50.22.22	4608	nslookup.exe
Destination IP	212	208.67.222.222	4560	nslookup.exe
Destination IP	77	208.67.220.220	2352	nslookup.exe
Destination IP	105	117.50.22.22	408	nslookup.exe
Destination IP	107	117.50.22.22	408	nslookup.exe
Destination IP	154	208.67.220.220	3776	nslookup.exe
Destination IP	194	208.67.220.220	4412	nslookup.exe
Destination IP	46	208.67.220.220	1572	nslookup.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	uyujkze.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	uyujkze.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	uyujkze.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	uyujkze.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\taikbuke\uyujkze.exe	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\taikbuke\uyujkze.exe	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uyujkze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1464	cmd.exe
3612	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000700000002412a-6.dat	nsis_installer_2

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	uyujkze.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	uyujkze.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	uyujkze.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	uyujkze.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	uyujkze.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	uyujkze.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	uyujkze.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	uyujkze.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3612	PING.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2908	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	2596	uyujkze.exe
Token: SeDebugPrivilege	4328	uyujkze.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2908	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
2596	uyujkze.exe
4328	uyujkze.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1464	2908	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 2908 wrote to memory of 1464	2908	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 2908 wrote to memory of 1464	2908	2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 1464 wrote to memory of 3612	1464	cmd.exe	89
PID 1464 wrote to memory of 3612	1464	cmd.exe	89
PID 1464 wrote to memory of 3612	1464	cmd.exe	89
PID 1464 wrote to memory of 2596	1464	cmd.exe	97
PID 1464 wrote to memory of 2596	1464	cmd.exe	97
PID 1464 wrote to memory of 2596	1464	cmd.exe	97
PID 4328 wrote to memory of 5020	4328	uyujkze.exe	99
PID 4328 wrote to memory of 5020	4328	uyujkze.exe	99
PID 4328 wrote to memory of 5020	4328	uyujkze.exe	99
PID 5020 wrote to memory of 5024	5020	cmd.exe	101
PID 5020 wrote to memory of 5024	5020	cmd.exe	101
PID 5020 wrote to memory of 5024	5020	cmd.exe	101
PID 4328 wrote to memory of 2196	4328	uyujkze.exe	102
PID 4328 wrote to memory of 2196	4328	uyujkze.exe	102
PID 4328 wrote to memory of 2196	4328	uyujkze.exe	102
PID 2196 wrote to memory of 1740	2196	cmd.exe	104
PID 2196 wrote to memory of 1740	2196	cmd.exe	104
PID 2196 wrote to memory of 1740	2196	cmd.exe	104
PID 4328 wrote to memory of 3988	4328	uyujkze.exe	105
PID 4328 wrote to memory of 3988	4328	uyujkze.exe	105
PID 4328 wrote to memory of 3988	4328	uyujkze.exe	105
PID 3988 wrote to memory of 3024	3988	cmd.exe	107
PID 3988 wrote to memory of 3024	3988	cmd.exe	107
PID 3988 wrote to memory of 3024	3988	cmd.exe	107
PID 4328 wrote to memory of 3556	4328	uyujkze.exe	111
PID 4328 wrote to memory of 3556	4328	uyujkze.exe	111
PID 4328 wrote to memory of 3556	4328	uyujkze.exe	111
PID 3556 wrote to memory of 5044	3556	cmd.exe	113
PID 3556 wrote to memory of 5044	3556	cmd.exe	113
PID 3556 wrote to memory of 5044	3556	cmd.exe	113
PID 4328 wrote to memory of 3084	4328	uyujkze.exe	114
PID 4328 wrote to memory of 3084	4328	uyujkze.exe	114
PID 4328 wrote to memory of 3084	4328	uyujkze.exe	114
PID 3084 wrote to memory of 5004	3084	cmd.exe	116
PID 3084 wrote to memory of 5004	3084	cmd.exe	116
PID 3084 wrote to memory of 5004	3084	cmd.exe	116
PID 4328 wrote to memory of 3568	4328	uyujkze.exe	117
PID 4328 wrote to memory of 3568	4328	uyujkze.exe	117
PID 4328 wrote to memory of 3568	4328	uyujkze.exe	117
PID 3568 wrote to memory of 1572	3568	cmd.exe	119
PID 3568 wrote to memory of 1572	3568	cmd.exe	119
PID 3568 wrote to memory of 1572	3568	cmd.exe	119
PID 4328 wrote to memory of 2480	4328	uyujkze.exe	120
PID 4328 wrote to memory of 2480	4328	uyujkze.exe	120
PID 4328 wrote to memory of 2480	4328	uyujkze.exe	120
PID 2480 wrote to memory of 4592	2480	cmd.exe	122
PID 2480 wrote to memory of 4592	2480	cmd.exe	122
PID 2480 wrote to memory of 4592	2480	cmd.exe	122
PID 4328 wrote to memory of 4372	4328	uyujkze.exe	123
PID 4328 wrote to memory of 4372	4328	uyujkze.exe	123
PID 4328 wrote to memory of 4372	4328	uyujkze.exe	123
PID 4372 wrote to memory of 4624	4372	cmd.exe	125
PID 4372 wrote to memory of 4624	4372	cmd.exe	125
PID 4372 wrote to memory of 4624	4372	cmd.exe	125
PID 4328 wrote to memory of 3088	4328	uyujkze.exe	126
PID 4328 wrote to memory of 3088	4328	uyujkze.exe	126
PID 4328 wrote to memory of 3088	4328	uyujkze.exe	126
PID 3088 wrote to memory of 2428	3088	cmd.exe	128
PID 3088 wrote to memory of 2428	3088	cmd.exe	128
PID 3088 wrote to memory of 2428	3088	cmd.exe	128
PID 4328 wrote to memory of 2572	4328	uyujkze.exe	129

C:\Users\Admin\AppData\Local\Temp\2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_423d1987255f7064cda2e41b60f4b95b_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\taikbuke\uyujkze.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3612
- - C:\Windows\taikbuke\uyujkze.exe
    C:\Windows\taikbuke\uyujkze.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2596

C:\Windows\taikbuke\uyujkze.exe
C:\Windows\taikbuke\uyujkze.exe
1⤵
- Executes dropped EXE
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
    3⤵
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
    3⤵
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4572
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3824
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
    3⤵
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3132
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1244
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3684
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1116
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3620
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1332
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
  2⤵
  PID:3736
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:672
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4792
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1684
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3640
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 1.1.1.1
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 117.50.11.11
  2⤵
  PID:540
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 117.50.22.22
  2⤵
  PID:4860
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 208.67.222.222
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 208.67.220.220
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4636
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 117.50.22.22
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 208.67.222.222
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\taikbuke\uyujkze.exe

Filesize
12.5MB

MD5
af274314ec2c76e064a09ff9a2ebbeac

SHA1
05c07b454ca7f2744b4702b23d76fd9fbc90ebc3

SHA256
c411ce6b7dff30cf83d0c46de260096aa5d368c1016ad2ad4dc5faf7c0439246

SHA512
22b67c9c221c8b7b4f1a343a649edd07f86c1edb26dc2083da552508125d9d531150c805aa68c983d573fcab517b18f1d551c0581fa293e54861d44a8f9239df

Download Submit
memory/2596-8-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/2908-0-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/2908-4-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download