blackmoon | 4399a2654279a22422cba188b257f326994d12e2d0d91b93eb973acb8211fe84

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

11.4MB
MD5

224689f5be60110e26bc0e81d06381cb
SHA1

22095f5f117b25a03e0fb983f0dd733d8a0f4d07
SHA256

4399a2654279a22422cba188b257f326994d12e2d0d91b93eb973acb8211fe84
SHA512

7d12c77cd75bfd1b377ba4ed234486d07134e2debddb1598105d904794b969d6a04deefd1454a5c876af5e208a97e5f85a2d342b84f2bf2414a28aa3ae988f2d
SSDEEP

196608:9EaOk2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YKmknGzwHIPHd93:95nEwl1CPwDv3uFY43v13uFnCPwa/VW5

Score

10^/10

blackmoon mimikatz banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/4068-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/4068-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/files/0x00070000000241a4-6.dat	family_blackmoon
behavioral1/memory/3516-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/3008-17-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/4068-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/memory/4068-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/files/0x00070000000241a4-6.dat	mimikatz
behavioral1/memory/3516-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	lygaqma.exe

Executes dropped EXE 3 IoCs

pid	Process
3516	lygaqma.exe
4572	lygaqma.exe
3008	prvdstiixybcwwq31802.exe

Unexpected DNS network traffic destination 60 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	133	142.4.205.47	1580	nslookup.exe
Destination IP	31	161.97.219.84	2484	nslookup.exe
Destination IP	98	51.75.173.177	4512	nslookup.exe
Destination IP	149	185.84.81.194	1944	nslookup.exe
Destination IP	76	178.63.116.152	2444	nslookup.exe
Destination IP	100	51.75.173.177	4512	nslookup.exe
Destination IP	101	51.75.173.177	4512	nslookup.exe
Destination IP	109	144.76.103.143	452	nslookup.exe
Destination IP	110	5.132.191.104	3192	nslookup.exe
Destination IP	121	207.148.83.241	3576	nslookup.exe
Destination IP	142	159.203.38.175	4396	nslookup.exe
Destination IP	147	51.254.25.115	4480	nslookup.exe
Destination IP	39	163.172.168.171	4688	nslookup.exe
Destination IP	55	207.192.71.13	3716	nslookup.exe
Destination IP	56	207.192.71.13	3716	nslookup.exe
Destination IP	123	165.227.40.43	544	nslookup.exe
Destination IP	108	144.76.103.143	452	nslookup.exe
Destination IP	138	198.100.148.224	1848	nslookup.exe
Destination IP	146	66.70.228.164	4184	nslookup.exe
Destination IP	143	66.70.228.164	4184	nslookup.exe
Destination IP	57	207.192.71.13	3716	nslookup.exe
Destination IP	105	79.124.7.81	3196	nslookup.exe
Destination IP	134	142.4.205.47	1580	nslookup.exe
Destination IP	116	13.239.157.177	4336	nslookup.exe
Destination IP	126	165.227.40.43	544	nslookup.exe
Destination IP	130	142.4.204.111	2976	nslookup.exe
Destination IP	135	198.100.148.224	1848	nslookup.exe
Destination IP	139	159.203.38.175	4396	nslookup.exe
Destination IP	32	161.97.219.84	2484	nslookup.exe
Destination IP	106	144.76.103.143	452	nslookup.exe
Destination IP	148	51.254.25.115	4480	nslookup.exe
Destination IP	141	159.203.38.175	4396	nslookup.exe
Destination IP	72	178.63.116.152	2444	nslookup.exe
Destination IP	30	161.97.219.84	2484	nslookup.exe
Destination IP	49	94.103.153.176	2920	nslookup.exe
Destination IP	84	51.77.227.84	1804	nslookup.exe
Destination IP	87	188.226.146.136	2500	nslookup.exe
Destination IP	112	13.239.157.177	4336	nslookup.exe
Destination IP	117	207.148.83.241	3576	nslookup.exe
Destination IP	150	185.84.81.194	1944	nslookup.exe
Destination IP	41	163.172.168.171	4688	nslookup.exe
Destination IP	81	51.77.227.84	1804	nslookup.exe
Destination IP	115	13.239.157.177	4336	nslookup.exe
Destination IP	127	142.4.204.111	2976	nslookup.exe
Destination IP	44	163.172.168.171	4688	nslookup.exe
Destination IP	46	94.103.153.176	2920	nslookup.exe
Destination IP	111	5.132.191.104	3192	nslookup.exe
Destination IP	122	207.148.83.241	3576	nslookup.exe
Destination IP	145	66.70.228.164	4184	nslookup.exe
Destination IP	102	79.124.7.81	3196	nslookup.exe
Destination IP	50	94.103.153.176	2920	nslookup.exe
Destination IP	85	188.226.146.136	2500	nslookup.exe
Destination IP	131	142.4.205.47	1580	nslookup.exe
Destination IP	137	198.100.148.224	1848	nslookup.exe
Destination IP	79	178.63.116.152	2444	nslookup.exe
Destination IP	83	51.77.227.84	1804	nslookup.exe
Destination IP	88	188.226.146.136	2500	nslookup.exe
Destination IP	104	79.124.7.81	3196	nslookup.exe
Destination IP	125	165.227.40.43	544	nslookup.exe
Destination IP	129	142.4.204.111	2976	nslookup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3008-15-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/files/0x0014000000023e95-16.dat	upx
behavioral1/memory/3008-17-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\elsumzsu\lygaqma.exe	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File created	C:\Windows\elsumzsu\prvdstiixybcwwq31802.exe	lygaqma.exe
File created	C:\Windows\elsumzsu\lygaqma.exe	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lygaqma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lygaqma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
556	cmd.exe
2132	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000241a4-6.dat	nsis_installer_2

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2132	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe
3008	prvdstiixybcwwq31802.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4068	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	3516	lygaqma.exe
Token: SeDebugPrivilege	4572	lygaqma.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4068	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
3516	lygaqma.exe
4572	lygaqma.exe
3008	prvdstiixybcwwq31802.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 556	4068	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	86
PID 4068 wrote to memory of 556	4068	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	86
PID 4068 wrote to memory of 556	4068	2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	86
PID 556 wrote to memory of 2132	556	cmd.exe	88
PID 556 wrote to memory of 2132	556	cmd.exe	88
PID 556 wrote to memory of 2132	556	cmd.exe	88
PID 556 wrote to memory of 3516	556	cmd.exe	97
PID 556 wrote to memory of 3516	556	cmd.exe	97
PID 556 wrote to memory of 3516	556	cmd.exe	97
PID 4572 wrote to memory of 3008	4572	lygaqma.exe	99
PID 4572 wrote to memory of 3008	4572	lygaqma.exe	99
PID 4572 wrote to memory of 3008	4572	lygaqma.exe	99
PID 4572 wrote to memory of 4460	4572	lygaqma.exe	100
PID 4572 wrote to memory of 4460	4572	lygaqma.exe	100
PID 4572 wrote to memory of 4460	4572	lygaqma.exe	100
PID 4460 wrote to memory of 2484	4460	cmd.exe	102
PID 4460 wrote to memory of 2484	4460	cmd.exe	102
PID 4460 wrote to memory of 2484	4460	cmd.exe	102
PID 4572 wrote to memory of 2596	4572	lygaqma.exe	106
PID 4572 wrote to memory of 2596	4572	lygaqma.exe	106
PID 4572 wrote to memory of 2596	4572	lygaqma.exe	106
PID 2596 wrote to memory of 4688	2596	cmd.exe	108
PID 2596 wrote to memory of 4688	2596	cmd.exe	108
PID 2596 wrote to memory of 4688	2596	cmd.exe	108
PID 4572 wrote to memory of 2008	4572	lygaqma.exe	110
PID 4572 wrote to memory of 2008	4572	lygaqma.exe	110
PID 4572 wrote to memory of 2008	4572	lygaqma.exe	110
PID 2008 wrote to memory of 2920	2008	cmd.exe	112
PID 2008 wrote to memory of 2920	2008	cmd.exe	112
PID 2008 wrote to memory of 2920	2008	cmd.exe	112
PID 4572 wrote to memory of 5008	4572	lygaqma.exe	115
PID 4572 wrote to memory of 5008	4572	lygaqma.exe	115
PID 4572 wrote to memory of 5008	4572	lygaqma.exe	115
PID 5008 wrote to memory of 3716	5008	cmd.exe	117
PID 5008 wrote to memory of 3716	5008	cmd.exe	117
PID 5008 wrote to memory of 3716	5008	cmd.exe	117
PID 4572 wrote to memory of 4552	4572	lygaqma.exe	120
PID 4572 wrote to memory of 4552	4572	lygaqma.exe	120
PID 4572 wrote to memory of 4552	4572	lygaqma.exe	120
PID 4552 wrote to memory of 2444	4552	cmd.exe	122
PID 4552 wrote to memory of 2444	4552	cmd.exe	122
PID 4552 wrote to memory of 2444	4552	cmd.exe	122
PID 4572 wrote to memory of 972	4572	lygaqma.exe	125
PID 4572 wrote to memory of 972	4572	lygaqma.exe	125
PID 4572 wrote to memory of 972	4572	lygaqma.exe	125
PID 972 wrote to memory of 1804	972	cmd.exe	127
PID 972 wrote to memory of 1804	972	cmd.exe	127
PID 972 wrote to memory of 1804	972	cmd.exe	127
PID 4572 wrote to memory of 636	4572	lygaqma.exe	129
PID 4572 wrote to memory of 636	4572	lygaqma.exe	129
PID 4572 wrote to memory of 636	4572	lygaqma.exe	129
PID 636 wrote to memory of 2500	636	cmd.exe	131
PID 636 wrote to memory of 2500	636	cmd.exe	131
PID 636 wrote to memory of 2500	636	cmd.exe	131
PID 4572 wrote to memory of 2388	4572	lygaqma.exe	133
PID 4572 wrote to memory of 2388	4572	lygaqma.exe	133
PID 4572 wrote to memory of 2388	4572	lygaqma.exe	133
PID 2388 wrote to memory of 4512	2388	cmd.exe	135
PID 2388 wrote to memory of 4512	2388	cmd.exe	135
PID 2388 wrote to memory of 4512	2388	cmd.exe	135
PID 4572 wrote to memory of 4220	4572	lygaqma.exe	136
PID 4572 wrote to memory of 4220	4572	lygaqma.exe	136
PID 4572 wrote to memory of 4220	4572	lygaqma.exe	136
PID 4220 wrote to memory of 3196	4220	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_224689f5be60110e26bc0e81d06381cb_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\elsumzsu\lygaqma.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2132
- - C:\Windows\elsumzsu\lygaqma.exe
    C:\Windows\elsumzsu\lygaqma.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3516

C:\Windows\elsumzsu\lygaqma.exe
C:\Windows\elsumzsu\lygaqma.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\elsumzsu\prvdstiixybcwwq31802.exe
  C:\Windows\elsumzsu\prvdstiixybcwwq31802.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 161.97.219.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 161.97.219.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 163.172.168.171
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 163.172.168.171
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 94.103.153.176
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 94.103.153.176
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.192.71.13
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.192.71.13
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 178.63.116.152
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 178.63.116.152
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.77.227.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.77.227.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 188.226.146.136
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 188.226.146.136
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.75.173.177
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.75.173.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 79.124.7.81
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 79.124.7.81
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 144.76.103.143
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 144.76.103.143
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 5.132.191.104
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4400
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 5.132.191.104
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 13.239.157.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 13.239.157.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.148.83.241
  2⤵
  - System Location Discovery: System Language Discovery
  PID:788
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.148.83.241
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 165.227.40.43
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 165.227.40.43
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.204.111
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3408
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.204.111
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.205.47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1520
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.205.47
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 198.100.148.224
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5084
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 198.100.148.224
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 159.203.38.175
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 159.203.38.175
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 66.70.228.164
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1056
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 66.70.228.164
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.254.25.115
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1048
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.254.25.115
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 185.84.81.194
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 185.84.81.194
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\elsumzsu\lygaqma.exe

Filesize
11.5MB

MD5
7242a16e8fc2d71ff656aa57c54baf9e

SHA1
179d1aaa59e19d0243627b83d7a10166fdabd8c5

SHA256
37b9d43b17e4899f3f3b0529a6519329a9b02cee56020e6dacbd49e746ca396b

SHA512
f403ba833007fdaf26faabf27370d16957f69e4d53d33cd1a69532018235375247389f0f4cf20a7b93e7aecc30d49a3d50fa80574db2e3add5a8f3e0c5e40495

Download Submit
C:\Windows\elsumzsu\prvdstiixybcwwq31802.exe

Filesize
69KB

MD5
8a761ad0a469caa921b8a1bdb989b9d1

SHA1
4584c31d116e15f402cc17122edd304eb6c95b2e

SHA256
875abc09f1abc43dfcc8a9c2a5e541c9a8bcaf33a4e8faa20c58947f8c8b56fa

SHA512
d2e541a9a245ea883b54e06583c5db4532e042e333f633e9dc20a1fd5d8d11c46a283274bcde0f972234a63f95e518a27da50f34a1899d88a398bbeb76cb371f

Download Submit
memory/3008-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3008-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3516-8-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/4068-0-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/4068-4-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download