blackmoon | dd5783c7b3ee45e6da6f039ff63133e8a1d5f963f62852b2b2d2cbca55bfd74d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

11.5MB
MD5

b2b54c597b2ba3396f0eb355048cc42a
SHA1

8fa7fa3814d51b1172a1b365cbb001f762d1eb05
SHA256

dd5783c7b3ee45e6da6f039ff63133e8a1d5f963f62852b2b2d2cbca55bfd74d
SHA512

29438e853da2b8ecb8f7f616701fd579b4fa5832d692b1ba1ee21e9b76abe6ee57c2ebe4ac6e6507d7731fd4ee45b4553b393689342c2c56aa1e313158075393
SSDEEP

196608:9EaOk2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YKmknGzwHIPHd9H:95nEwl1CPwDv3uFY43v13uFnCPwa/VWH

Score

10^/10

blackmoon mimikatz banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral1/memory/4760-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/4760-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/files/0x00070000000240c3-6.dat	family_blackmoon
behavioral1/memory/2028-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/2324-16-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon
behavioral1/memory/2324-18-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/4760-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/memory/4760-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/files/0x00070000000240c3-6.dat	mimikatz
behavioral1/memory/2028-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cbilyek.exe

Executes dropped EXE 3 IoCs

pid	Process
2028	cbilyek.exe
3924	cbilyek.exe
2324	izkxyayhbgtzyxd19494.exe

Unexpected DNS network traffic destination 63 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	32	161.97.219.84	4972	nslookup.exe
Destination IP	88	51.77.227.84	2200	nslookup.exe
Destination IP	140	198.100.148.224	2052	nslookup.exe
Destination IP	33	161.97.219.84	4972	nslookup.exe
Destination IP	147	66.70.228.164	1124	nslookup.exe
Destination IP	112	144.76.103.143	2556	nslookup.exe
Destination IP	141	159.203.38.175	1268	nslookup.exe
Destination IP	151	185.84.81.194	2712	nslookup.exe
Destination IP	159	89.40.116.230	1772	nslookup.exe
Destination IP	41	163.172.168.171	4472	nslookup.exe
Destination IP	58	94.103.153.176	4764	nslookup.exe
Destination IP	78	207.192.71.13	2992	nslookup.exe
Destination IP	97	51.75.173.177	4472	nslookup.exe
Destination IP	100	79.124.7.81	4704	nslookup.exe
Destination IP	129	142.4.204.111	3920	nslookup.exe
Destination IP	110	144.76.103.143	2556	nslookup.exe
Destination IP	96	51.75.173.177	4472	nslookup.exe
Destination IP	79	207.192.71.13	2992	nslookup.exe
Destination IP	89	51.77.227.84	2200	nslookup.exe
Destination IP	94	51.75.173.177	4472	nslookup.exe
Destination IP	137	198.100.148.224	2052	nslookup.exe
Destination IP	149	51.254.25.115	4364	nslookup.exe
Destination IP	144	159.203.38.175	1268	nslookup.exe
Destination IP	158	89.40.116.230	1772	nslookup.exe
Destination IP	109	79.124.7.81	4704	nslookup.exe
Destination IP	114	5.132.191.104	4824	nslookup.exe
Destination IP	128	165.227.40.43	4884	nslookup.exe
Destination IP	145	66.70.228.164	1124	nslookup.exe
Destination IP	80	178.63.116.152	4428	nslookup.exe
Destination IP	132	142.4.204.111	3920	nslookup.exe
Destination IP	133	142.4.205.47	4200	nslookup.exe
Destination IP	148	66.70.228.164	1124	nslookup.exe
Destination IP	121	207.148.83.241	456	nslookup.exe
Destination IP	31	161.97.219.84	4972	nslookup.exe
Destination IP	86	51.77.227.84	2200	nslookup.exe
Destination IP	113	144.76.103.143	2556	nslookup.exe
Destination IP	136	142.4.205.47	4200	nslookup.exe
Destination IP	143	159.203.38.175	1268	nslookup.exe
Destination IP	150	51.254.25.115	4364	nslookup.exe
Destination IP	84	178.63.116.152	4428	nslookup.exe
Destination IP	91	188.226.146.136	1032	nslookup.exe
Destination IP	116	13.239.157.177	644	nslookup.exe
Destination IP	135	142.4.205.47	4200	nslookup.exe
Destination IP	156	89.40.116.230	1772	nslookup.exe
Destination IP	85	178.63.116.152	4428	nslookup.exe
Destination IP	152	185.84.81.194	2712	nslookup.exe
Destination IP	53	163.172.168.171	4472	nslookup.exe
Destination IP	107	79.124.7.81	4704	nslookup.exe
Destination IP	115	5.132.191.104	4824	nslookup.exe
Destination IP	119	13.239.157.177	644	nslookup.exe
Destination IP	127	165.227.40.43	4884	nslookup.exe
Destination IP	131	142.4.204.111	3920	nslookup.exe
Destination IP	64	94.103.153.176	4764	nslookup.exe
Destination IP	90	188.226.146.136	1032	nslookup.exe
Destination IP	120	13.239.157.177	644	nslookup.exe
Destination IP	123	207.148.83.241	456	nslookup.exe
Destination IP	125	165.227.40.43	4884	nslookup.exe
Destination IP	45	163.172.168.171	4472	nslookup.exe
Destination IP	74	94.103.153.176	4764	nslookup.exe
Destination IP	77	207.192.71.13	2992	nslookup.exe
Destination IP	92	188.226.146.136	1032	nslookup.exe
Destination IP	124	207.148.83.241	456	nslookup.exe
Destination IP	139	198.100.148.224	2052	nslookup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001da09-14.dat	upx
behavioral1/memory/2324-16-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2324-18-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\nuzpvtcc\cbilyek.exe	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\nuzpvtcc\cbilyek.exe	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File created	C:\Windows\nuzpvtcc\izkxyayhbgtzyxd19494.exe	cbilyek.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbilyek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbilyek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4016	cmd.exe
644	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000240c3-6.dat	nsis_installer_2

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
644	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe
2324	izkxyayhbgtzyxd19494.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4760	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	2028	cbilyek.exe
Token: SeDebugPrivilege	3924	cbilyek.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4760	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
2028	cbilyek.exe
3924	cbilyek.exe
2324	izkxyayhbgtzyxd19494.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4016	4760	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 4760 wrote to memory of 4016	4760	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 4760 wrote to memory of 4016	4760	2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 4016 wrote to memory of 644	4016	cmd.exe	89
PID 4016 wrote to memory of 644	4016	cmd.exe	89
PID 4016 wrote to memory of 644	4016	cmd.exe	89
PID 4016 wrote to memory of 2028	4016	cmd.exe	96
PID 4016 wrote to memory of 2028	4016	cmd.exe	96
PID 4016 wrote to memory of 2028	4016	cmd.exe	96
PID 3924 wrote to memory of 2324	3924	cbilyek.exe	98
PID 3924 wrote to memory of 2324	3924	cbilyek.exe	98
PID 3924 wrote to memory of 2324	3924	cbilyek.exe	98
PID 3924 wrote to memory of 2140	3924	cbilyek.exe	100
PID 3924 wrote to memory of 2140	3924	cbilyek.exe	100
PID 3924 wrote to memory of 2140	3924	cbilyek.exe	100
PID 2140 wrote to memory of 4972	2140	cmd.exe	102
PID 2140 wrote to memory of 4972	2140	cmd.exe	102
PID 2140 wrote to memory of 4972	2140	cmd.exe	102
PID 3924 wrote to memory of 1412	3924	cbilyek.exe	107
PID 3924 wrote to memory of 1412	3924	cbilyek.exe	107
PID 3924 wrote to memory of 1412	3924	cbilyek.exe	107
PID 1412 wrote to memory of 4472	1412	cmd.exe	109
PID 1412 wrote to memory of 4472	1412	cmd.exe	109
PID 1412 wrote to memory of 4472	1412	cmd.exe	109
PID 3924 wrote to memory of 2180	3924	cbilyek.exe	112
PID 3924 wrote to memory of 2180	3924	cbilyek.exe	112
PID 3924 wrote to memory of 2180	3924	cbilyek.exe	112
PID 2180 wrote to memory of 4764	2180	cmd.exe	114
PID 2180 wrote to memory of 4764	2180	cmd.exe	114
PID 2180 wrote to memory of 4764	2180	cmd.exe	114
PID 3924 wrote to memory of 1164	3924	cbilyek.exe	122
PID 3924 wrote to memory of 1164	3924	cbilyek.exe	122
PID 3924 wrote to memory of 1164	3924	cbilyek.exe	122
PID 1164 wrote to memory of 2992	1164	cmd.exe	124
PID 1164 wrote to memory of 2992	1164	cmd.exe	124
PID 1164 wrote to memory of 2992	1164	cmd.exe	124
PID 3924 wrote to memory of 1572	3924	cbilyek.exe	125
PID 3924 wrote to memory of 1572	3924	cbilyek.exe	125
PID 3924 wrote to memory of 1572	3924	cbilyek.exe	125
PID 1572 wrote to memory of 4428	1572	cmd.exe	127
PID 1572 wrote to memory of 4428	1572	cmd.exe	127
PID 1572 wrote to memory of 4428	1572	cmd.exe	127
PID 3924 wrote to memory of 4508	3924	cbilyek.exe	128
PID 3924 wrote to memory of 4508	3924	cbilyek.exe	128
PID 3924 wrote to memory of 4508	3924	cbilyek.exe	128
PID 4508 wrote to memory of 2200	4508	cmd.exe	130
PID 4508 wrote to memory of 2200	4508	cmd.exe	130
PID 4508 wrote to memory of 2200	4508	cmd.exe	130
PID 3924 wrote to memory of 1624	3924	cbilyek.exe	131
PID 3924 wrote to memory of 1624	3924	cbilyek.exe	131
PID 3924 wrote to memory of 1624	3924	cbilyek.exe	131
PID 1624 wrote to memory of 1032	1624	cmd.exe	133
PID 1624 wrote to memory of 1032	1624	cmd.exe	133
PID 1624 wrote to memory of 1032	1624	cmd.exe	133
PID 3924 wrote to memory of 4980	3924	cbilyek.exe	134
PID 3924 wrote to memory of 4980	3924	cbilyek.exe	134
PID 3924 wrote to memory of 4980	3924	cbilyek.exe	134
PID 4980 wrote to memory of 4472	4980	cmd.exe	136
PID 4980 wrote to memory of 4472	4980	cmd.exe	136
PID 4980 wrote to memory of 4472	4980	cmd.exe	136
PID 3924 wrote to memory of 4776	3924	cbilyek.exe	137
PID 3924 wrote to memory of 4776	3924	cbilyek.exe	137
PID 3924 wrote to memory of 4776	3924	cbilyek.exe	137
PID 4776 wrote to memory of 4704	4776	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_b2b54c597b2ba3396f0eb355048cc42a_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\nuzpvtcc\cbilyek.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:644
- - C:\Windows\nuzpvtcc\cbilyek.exe
    C:\Windows\nuzpvtcc\cbilyek.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2028

C:\Windows\nuzpvtcc\cbilyek.exe
C:\Windows\nuzpvtcc\cbilyek.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\nuzpvtcc\izkxyayhbgtzyxd19494.exe
  C:\Windows\nuzpvtcc\izkxyayhbgtzyxd19494.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 161.97.219.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 161.97.219.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 163.172.168.171
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 163.172.168.171
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 94.103.153.176
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 94.103.153.176
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.192.71.13
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.192.71.13
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 178.63.116.152
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 178.63.116.152
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.77.227.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.77.227.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 188.226.146.136
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 188.226.146.136
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.75.173.177
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.75.173.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 79.124.7.81
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 79.124.7.81
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 144.76.103.143
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 144.76.103.143
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 5.132.191.104
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1696
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 5.132.191.104
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 13.239.157.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5048
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 13.239.157.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.148.83.241
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1584
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.148.83.241
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 165.227.40.43
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 165.227.40.43
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.204.111
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.204.111
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.205.47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3272
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.205.47
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 198.100.148.224
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2992
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 198.100.148.224
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 159.203.38.175
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3696
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 159.203.38.175
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 66.70.228.164
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 66.70.228.164
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.254.25.115
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.254.25.115
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 185.84.81.194
  2⤵
  - System Location Discovery: System Language Discovery
  PID:384
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 185.84.81.194
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 89.40.116.230
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3404
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 89.40.116.230
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\nuzpvtcc\cbilyek.exe

Filesize
11.6MB

MD5
25d5f447489745b8d08a72e8368e629b

SHA1
bb48a955b43afe9a6fc69687dc1aee12cd81f9fe

SHA256
d54ede46e4caa23999b6b8aa0fc2fa3c1ab5e37c7350a20c4d5305747ca74818

SHA512
11db892f2095985500d2da8a28b1eb32a9e925923a711216e81a03187e20ddb1d89159a643cf80b9f1560bb47bd766955998f730dfc5b91c8596c087efc00178

Download Submit
C:\Windows\nuzpvtcc\izkxyayhbgtzyxd19494.exe

Filesize
69KB

MD5
8a761ad0a469caa921b8a1bdb989b9d1

SHA1
4584c31d116e15f402cc17122edd304eb6c95b2e

SHA256
875abc09f1abc43dfcc8a9c2a5e541c9a8bcaf33a4e8faa20c58947f8c8b56fa

SHA512
d2e541a9a245ea883b54e06583c5db4532e042e333f633e9dc20a1fd5d8d11c46a283274bcde0f972234a63f95e518a27da50f34a1899d88a398bbeb76cb371f

Download Submit
memory/2028-8-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/2324-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2324-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4760-0-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/4760-4-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download