blackmoon | a0845820dbe245ab0c6e1fce93d8b845fed849e392f80e94387e287407f413e8

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

11.5MB
MD5

4b8ad282bc117ed1009571fc9864ee27
SHA1

02236728c141950819b9597fdea93488c8795bb6
SHA256

a0845820dbe245ab0c6e1fce93d8b845fed849e392f80e94387e287407f413e8
SHA512

0f2d343e1a7f0a03d53320479d97b5a487c5d0e3e8af41a686df534361455c09ac843489f622fa206789be00dbaa4e01ba978a18eeaa8ce0fd97307233acee6f
SSDEEP

196608:9EaOk2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YKmknGzwHIPHd9H:95nEwl1CPwDv3uFY43v13uFnCPwa/VWH

Score

10^/10

blackmoon mimikatz banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral1/memory/3624-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/3624-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/files/0x00070000000241fb-6.dat	family_blackmoon
behavioral1/memory/560-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/3280-16-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon
behavioral1/memory/3280-18-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/3624-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/memory/3624-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/files/0x00070000000241fb-6.dat	mimikatz
behavioral1/memory/560-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	evwbcem.exe

Executes dropped EXE 3 IoCs

pid	Process
560	evwbcem.exe
1316	evwbcem.exe
3280	dxodefffnoopqqr14357.exe

Unexpected DNS network traffic destination 60 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	43	163.172.168.171	6084	nslookup.exe
Destination IP	84	178.63.116.152	5688	nslookup.exe
Destination IP	109	79.124.7.81	4644	nslookup.exe
Destination IP	111	144.76.103.143	2324	nslookup.exe
Destination IP	113	144.76.103.143	2324	nslookup.exe
Destination IP	132	142.4.204.111	5984	nslookup.exe
Destination IP	144	159.203.38.175	1428	nslookup.exe
Destination IP	154	185.84.81.194	6020	nslookup.exe
Destination IP	59	94.103.153.176	3480	nslookup.exe
Destination IP	83	178.63.116.152	5688	nslookup.exe
Destination IP	88	51.77.227.84	5940	nslookup.exe
Destination IP	91	188.226.146.136	5300	nslookup.exe
Destination IP	76	94.103.153.176	3480	nslookup.exe
Destination IP	77	207.192.71.13	1916	nslookup.exe
Destination IP	117	13.239.157.177	1780	nslookup.exe
Destination IP	103	51.75.173.177	4404	nslookup.exe
Destination IP	120	13.239.157.177	1780	nslookup.exe
Destination IP	131	165.227.40.43	5472	nslookup.exe
Destination IP	136	142.4.205.47	4540	nslookup.exe
Destination IP	152	51.254.25.115	1416	nslookup.exe
Destination IP	79	207.192.71.13	1916	nslookup.exe
Destination IP	87	51.77.227.84	5940	nslookup.exe
Destination IP	114	144.76.103.143	2324	nslookup.exe
Destination IP	122	207.148.83.241	3800	nslookup.exe
Destination IP	139	142.4.205.47	4540	nslookup.exe
Destination IP	151	66.70.228.164	5904	nslookup.exe
Destination IP	107	79.124.7.81	4644	nslookup.exe
Destination IP	110	79.124.7.81	4644	nslookup.exe
Destination IP	115	5.132.191.104	5556	nslookup.exe
Destination IP	45	163.172.168.171	6084	nslookup.exe
Destination IP	78	207.192.71.13	1916	nslookup.exe
Destination IP	124	207.148.83.241	3800	nslookup.exe
Destination IP	150	66.70.228.164	5904	nslookup.exe
Destination IP	75	94.103.153.176	3480	nslookup.exe
Destination IP	90	188.226.146.136	5300	nslookup.exe
Destination IP	105	51.75.173.177	4404	nslookup.exe
Destination IP	128	165.227.40.43	5472	nslookup.exe
Destination IP	130	165.227.40.43	5472	nslookup.exe
Destination IP	34	161.97.219.84	6108	nslookup.exe
Destination IP	55	163.172.168.171	6084	nslookup.exe
Destination IP	121	13.239.157.177	1780	nslookup.exe
Destination IP	142	198.100.148.224	3788	nslookup.exe
Destination IP	106	51.75.173.177	4404	nslookup.exe
Destination IP	148	66.70.228.164	5904	nslookup.exe
Destination IP	147	159.203.38.175	1428	nslookup.exe
Destination IP	35	161.97.219.84	6108	nslookup.exe
Destination IP	134	142.4.204.111	5984	nslookup.exe
Destination IP	140	198.100.148.224	3788	nslookup.exe
Destination IP	127	207.148.83.241	3800	nslookup.exe
Destination IP	143	198.100.148.224	3788	nslookup.exe
Destination IP	153	51.254.25.115	1416	nslookup.exe
Destination IP	85	51.77.227.84	5940	nslookup.exe
Destination IP	116	5.132.191.104	5556	nslookup.exe
Destination IP	135	142.4.204.111	5984	nslookup.exe
Destination IP	80	178.63.116.152	5688	nslookup.exe
Destination IP	89	188.226.146.136	5300	nslookup.exe
Destination IP	138	142.4.205.47	4540	nslookup.exe
Destination IP	157	185.84.81.194	6020	nslookup.exe
Destination IP	33	161.97.219.84	6108	nslookup.exe
Destination IP	146	159.203.38.175	1428	nslookup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024214-14.dat	upx
behavioral1/memory/3280-16-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3280-18-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\qtzvtesi\evwbcem.exe	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\qtzvtesi\evwbcem.exe	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File created	C:\Windows\qtzvtesi\dxodefffnoopqqr14357.exe	evwbcem.exe

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evwbcem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evwbcem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1668	cmd.exe
1836	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000241fb-6.dat	nsis_installer_2

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1836	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe
3280	dxodefffnoopqqr14357.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3624	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	560	evwbcem.exe
Token: SeDebugPrivilege	1316	evwbcem.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3624	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
560	evwbcem.exe
1316	evwbcem.exe
3280	dxodefffnoopqqr14357.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 1668	3624	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	85
PID 3624 wrote to memory of 1668	3624	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	85
PID 3624 wrote to memory of 1668	3624	2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	85
PID 1668 wrote to memory of 1836	1668	cmd.exe	87
PID 1668 wrote to memory of 1836	1668	cmd.exe	87
PID 1668 wrote to memory of 1836	1668	cmd.exe	87
PID 1668 wrote to memory of 560	1668	cmd.exe	96
PID 1668 wrote to memory of 560	1668	cmd.exe	96
PID 1668 wrote to memory of 560	1668	cmd.exe	96
PID 1316 wrote to memory of 3280	1316	evwbcem.exe	98
PID 1316 wrote to memory of 3280	1316	evwbcem.exe	98
PID 1316 wrote to memory of 3280	1316	evwbcem.exe	98
PID 1316 wrote to memory of 4116	1316	evwbcem.exe	99
PID 1316 wrote to memory of 4116	1316	evwbcem.exe	99
PID 1316 wrote to memory of 4116	1316	evwbcem.exe	99
PID 4116 wrote to memory of 6108	4116	cmd.exe	101
PID 4116 wrote to memory of 6108	4116	cmd.exe	101
PID 4116 wrote to memory of 6108	4116	cmd.exe	101
PID 1316 wrote to memory of 2768	1316	evwbcem.exe	105
PID 1316 wrote to memory of 2768	1316	evwbcem.exe	105
PID 1316 wrote to memory of 2768	1316	evwbcem.exe	105
PID 2768 wrote to memory of 6084	2768	cmd.exe	107
PID 2768 wrote to memory of 6084	2768	cmd.exe	107
PID 2768 wrote to memory of 6084	2768	cmd.exe	107
PID 1316 wrote to memory of 1756	1316	evwbcem.exe	110
PID 1316 wrote to memory of 1756	1316	evwbcem.exe	110
PID 1316 wrote to memory of 1756	1316	evwbcem.exe	110
PID 1756 wrote to memory of 3480	1756	cmd.exe	112
PID 1756 wrote to memory of 3480	1756	cmd.exe	112
PID 1756 wrote to memory of 3480	1756	cmd.exe	112
PID 1316 wrote to memory of 5832	1316	evwbcem.exe	116
PID 1316 wrote to memory of 5832	1316	evwbcem.exe	116
PID 1316 wrote to memory of 5832	1316	evwbcem.exe	116
PID 5832 wrote to memory of 1916	5832	cmd.exe	118
PID 5832 wrote to memory of 1916	5832	cmd.exe	118
PID 5832 wrote to memory of 1916	5832	cmd.exe	118
PID 1316 wrote to memory of 1944	1316	evwbcem.exe	119
PID 1316 wrote to memory of 1944	1316	evwbcem.exe	119
PID 1316 wrote to memory of 1944	1316	evwbcem.exe	119
PID 1944 wrote to memory of 5688	1944	cmd.exe	121
PID 1944 wrote to memory of 5688	1944	cmd.exe	121
PID 1944 wrote to memory of 5688	1944	cmd.exe	121
PID 1316 wrote to memory of 3364	1316	evwbcem.exe	126
PID 1316 wrote to memory of 3364	1316	evwbcem.exe	126
PID 1316 wrote to memory of 3364	1316	evwbcem.exe	126
PID 3364 wrote to memory of 5940	3364	cmd.exe	128
PID 3364 wrote to memory of 5940	3364	cmd.exe	128
PID 3364 wrote to memory of 5940	3364	cmd.exe	128
PID 1316 wrote to memory of 5420	1316	evwbcem.exe	129
PID 1316 wrote to memory of 5420	1316	evwbcem.exe	129
PID 1316 wrote to memory of 5420	1316	evwbcem.exe	129
PID 5420 wrote to memory of 5300	5420	cmd.exe	131
PID 5420 wrote to memory of 5300	5420	cmd.exe	131
PID 5420 wrote to memory of 5300	5420	cmd.exe	131
PID 1316 wrote to memory of 440	1316	evwbcem.exe	133
PID 1316 wrote to memory of 440	1316	evwbcem.exe	133
PID 1316 wrote to memory of 440	1316	evwbcem.exe	133
PID 440 wrote to memory of 4404	440	cmd.exe	135
PID 440 wrote to memory of 4404	440	cmd.exe	135
PID 440 wrote to memory of 4404	440	cmd.exe	135
PID 1316 wrote to memory of 4440	1316	evwbcem.exe	136
PID 1316 wrote to memory of 4440	1316	evwbcem.exe	136
PID 1316 wrote to memory of 4440	1316	evwbcem.exe	136
PID 4440 wrote to memory of 4644	4440	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_4b8ad282bc117ed1009571fc9864ee27_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\qtzvtesi\evwbcem.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1836
- - C:\Windows\qtzvtesi\evwbcem.exe
    C:\Windows\qtzvtesi\evwbcem.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:560

C:\Windows\qtzvtesi\evwbcem.exe
C:\Windows\qtzvtesi\evwbcem.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\qtzvtesi\dxodefffnoopqqr14357.exe
  C:\Windows\qtzvtesi\dxodefffnoopqqr14357.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 161.97.219.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 161.97.219.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 163.172.168.171
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 163.172.168.171
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 94.103.153.176
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 94.103.153.176
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.192.71.13
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5832
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.192.71.13
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 178.63.116.152
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 178.63.116.152
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.77.227.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.77.227.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 188.226.146.136
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5420
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 188.226.146.136
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.75.173.177
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.75.173.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 79.124.7.81
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 79.124.7.81
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 144.76.103.143
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4656
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 144.76.103.143
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 5.132.191.104
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 5.132.191.104
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 13.239.157.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2504
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 13.239.157.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.148.83.241
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.148.83.241
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 165.227.40.43
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6136
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 165.227.40.43
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.204.111
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.204.111
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.205.47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5428
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.205.47
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 198.100.148.224
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5796
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 198.100.148.224
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 159.203.38.175
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 159.203.38.175
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 66.70.228.164
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5872
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 66.70.228.164
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.254.25.115
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1468
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.254.25.115
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 185.84.81.194
  2⤵
  - System Location Discovery: System Language Discovery
  PID:368
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 185.84.81.194
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\qtzvtesi\dxodefffnoopqqr14357.exe

Filesize
69KB

MD5
8a761ad0a469caa921b8a1bdb989b9d1

SHA1
4584c31d116e15f402cc17122edd304eb6c95b2e

SHA256
875abc09f1abc43dfcc8a9c2a5e541c9a8bcaf33a4e8faa20c58947f8c8b56fa

SHA512
d2e541a9a245ea883b54e06583c5db4532e042e333f633e9dc20a1fd5d8d11c46a283274bcde0f972234a63f95e518a27da50f34a1899d88a398bbeb76cb371f

Download Submit
C:\Windows\qtzvtesi\evwbcem.exe

Filesize
11.5MB

MD5
8d51367bc4ef5dec5bbfde377ce77d40

SHA1
37553aace31f8015c3b20544b64094b88fd2fc16

SHA256
af27549d0bf2babc4d0a21d4494d665d0c521e2c2f5938fb9158f97e22e3ad39

SHA512
76ec70b7dc11e1f9d4ddb47a6993ae3021017cdc9c252d15ef83d41444af4a78366799ae48662f7ed8d9a3cbd70c8b3625ca746fc3182b60c058b8f6ed58e807

Download Submit
memory/560-8-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/3280-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3280-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3624-0-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/3624-4-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download