blackmoon | 8a78119ad7cb6dd727bcccf9ffb7bcaf8a95a895bf5d73d6737b4d9763d16d69

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

11.3MB
MD5

c6027df3abfdbfe21d6bb6cc6254e9c7
SHA1

935cfc096554a246fc8f60915469df1feb3f724b
SHA256

8a78119ad7cb6dd727bcccf9ffb7bcaf8a95a895bf5d73d6737b4d9763d16d69
SHA512

d246a732b08463781d8762cfb308312e73b36adb01b7d95dd686c1c4caa51fded5db92d4c980d4b09e61a1091fdb01221895786c929784f21ef9089f76c9ca6e
SSDEEP

196608:9EaOk2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YKmknGzwHIPHd9H:95nEwl1CPwDv3uFY43v13uFnCPwa/VWH

Score

10^/10

blackmoon mimikatz banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/3020-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/files/0x000b000000023ff7-6.dat	family_blackmoon
behavioral1/memory/3148-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/1568-18-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/memory/3020-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/files/0x000b000000023ff7-6.dat	mimikatz
behavioral1/memory/3148-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ygbgbck.exe

Executes dropped EXE 3 IoCs

pid	Process
3148	ygbgbck.exe
1392	ygbgbck.exe
1568	auzowleaxqrkzap25471.exe

Unexpected DNS network traffic destination 60 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	136	142.4.205.47	1184	nslookup.exe
Destination IP	32	161.97.219.84	116	nslookup.exe
Destination IP	74	94.103.153.176	4904	nslookup.exe
Destination IP	87	188.226.146.136	4188	nslookup.exe
Destination IP	106	79.124.7.81	3552	nslookup.exe
Destination IP	114	13.239.157.177	64	nslookup.exe
Destination IP	138	198.100.148.224	1336	nslookup.exe
Destination IP	148	66.70.228.164	4836	nslookup.exe
Destination IP	152	185.84.81.194	1908	nslookup.exe
Destination IP	62	94.103.153.176	4904	nslookup.exe
Destination IP	121	207.148.83.241	1812	nslookup.exe
Destination IP	153	185.84.81.194	1908	nslookup.exe
Destination IP	108	144.76.103.143	3088	nslookup.exe
Destination IP	78	178.63.116.152	1996	nslookup.exe
Destination IP	125	207.148.83.241	1812	nslookup.exe
Destination IP	126	165.227.40.43	844	nslookup.exe
Destination IP	149	66.70.228.164	4836	nslookup.exe
Destination IP	85	51.77.227.84	4732	nslookup.exe
Destination IP	130	142.4.204.111	2396	nslookup.exe
Destination IP	132	142.4.204.111	2396	nslookup.exe
Destination IP	150	51.254.25.115	948	nslookup.exe
Destination IP	75	207.192.71.13	3860	nslookup.exe
Destination IP	128	165.227.40.43	844	nslookup.exe
Destination IP	141	198.100.148.224	1336	nslookup.exe
Destination IP	33	161.97.219.84	116	nslookup.exe
Destination IP	49	163.172.168.171	972	nslookup.exe
Destination IP	82	178.63.116.152	1996	nslookup.exe
Destination IP	103	51.75.173.177	4656	nslookup.exe
Destination IP	118	13.239.157.177	64	nslookup.exe
Destination IP	142	159.203.38.175	5036	nslookup.exe
Destination IP	146	66.70.228.164	4836	nslookup.exe
Destination IP	100	51.75.173.177	4656	nslookup.exe
Destination IP	107	79.124.7.81	3552	nslookup.exe
Destination IP	81	178.63.116.152	1996	nslookup.exe
Destination IP	88	188.226.146.136	4188	nslookup.exe
Destination IP	89	188.226.146.136	4188	nslookup.exe
Destination IP	111	144.76.103.143	3088	nslookup.exe
Destination IP	117	13.239.157.177	64	nslookup.exe
Destination IP	124	207.148.83.241	1812	nslookup.exe
Destination IP	144	159.203.38.175	5036	nslookup.exe
Destination IP	145	159.203.38.175	5036	nslookup.exe
Destination IP	31	161.97.219.84	116	nslookup.exe
Destination IP	104	79.124.7.81	3552	nslookup.exe
Destination IP	41	163.172.168.171	972	nslookup.exe
Destination IP	54	163.172.168.171	972	nslookup.exe
Destination IP	76	207.192.71.13	3860	nslookup.exe
Destination IP	77	207.192.71.13	3860	nslookup.exe
Destination IP	102	51.75.173.177	4656	nslookup.exe
Destination IP	151	51.254.25.115	948	nslookup.exe
Destination IP	86	51.77.227.84	4732	nslookup.exe
Destination IP	134	142.4.205.47	1184	nslookup.exe
Destination IP	110	144.76.103.143	3088	nslookup.exe
Destination IP	112	5.132.191.104	1072	nslookup.exe
Destination IP	129	165.227.40.43	844	nslookup.exe
Destination IP	137	142.4.205.47	1184	nslookup.exe
Destination IP	140	198.100.148.224	1336	nslookup.exe
Destination IP	73	94.103.153.176	4904	nslookup.exe
Destination IP	83	51.77.227.84	4732	nslookup.exe
Destination IP	113	5.132.191.104	1072	nslookup.exe
Destination IP	133	142.4.204.111	2396	nslookup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000023f32-16.dat	upx
behavioral1/memory/1568-15-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1568-18-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\giupekdq\ygbgbck.exe	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File created	C:\Windows\giupekdq\auzowleaxqrkzap25471.exe	ygbgbck.exe
File created	C:\Windows\giupekdq\ygbgbck.exe	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ygbgbck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ygbgbck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4820	cmd.exe
1936	PING.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000023ff7-6.dat	nsis_installer_2

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1936	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe
1568	auzowleaxqrkzap25471.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3020	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	3148	ygbgbck.exe
Token: SeDebugPrivilege	1392	ygbgbck.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3020	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
3148	ygbgbck.exe
1392	ygbgbck.exe
1568	auzowleaxqrkzap25471.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 4820	3020	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 3020 wrote to memory of 4820	3020	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 3020 wrote to memory of 4820	3020	2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 4820 wrote to memory of 1936	4820	cmd.exe	90
PID 4820 wrote to memory of 1936	4820	cmd.exe	90
PID 4820 wrote to memory of 1936	4820	cmd.exe	90
PID 4820 wrote to memory of 3148	4820	cmd.exe	97
PID 4820 wrote to memory of 3148	4820	cmd.exe	97
PID 4820 wrote to memory of 3148	4820	cmd.exe	97
PID 1392 wrote to memory of 1568	1392	ygbgbck.exe	99
PID 1392 wrote to memory of 1568	1392	ygbgbck.exe	99
PID 1392 wrote to memory of 1568	1392	ygbgbck.exe	99
PID 1392 wrote to memory of 5036	1392	ygbgbck.exe	100
PID 1392 wrote to memory of 5036	1392	ygbgbck.exe	100
PID 1392 wrote to memory of 5036	1392	ygbgbck.exe	100
PID 5036 wrote to memory of 116	5036	cmd.exe	102
PID 5036 wrote to memory of 116	5036	cmd.exe	102
PID 5036 wrote to memory of 116	5036	cmd.exe	102
PID 1392 wrote to memory of 592	1392	ygbgbck.exe	106
PID 1392 wrote to memory of 592	1392	ygbgbck.exe	106
PID 1392 wrote to memory of 592	1392	ygbgbck.exe	106
PID 592 wrote to memory of 972	592	cmd.exe	108
PID 592 wrote to memory of 972	592	cmd.exe	108
PID 592 wrote to memory of 972	592	cmd.exe	108
PID 1392 wrote to memory of 1484	1392	ygbgbck.exe	112
PID 1392 wrote to memory of 1484	1392	ygbgbck.exe	112
PID 1392 wrote to memory of 1484	1392	ygbgbck.exe	112
PID 1484 wrote to memory of 4904	1484	cmd.exe	114
PID 1484 wrote to memory of 4904	1484	cmd.exe	114
PID 1484 wrote to memory of 4904	1484	cmd.exe	114
PID 1392 wrote to memory of 4156	1392	ygbgbck.exe	121
PID 1392 wrote to memory of 4156	1392	ygbgbck.exe	121
PID 1392 wrote to memory of 4156	1392	ygbgbck.exe	121
PID 4156 wrote to memory of 3860	4156	cmd.exe	123
PID 4156 wrote to memory of 3860	4156	cmd.exe	123
PID 4156 wrote to memory of 3860	4156	cmd.exe	123
PID 1392 wrote to memory of 1904	1392	ygbgbck.exe	124
PID 1392 wrote to memory of 1904	1392	ygbgbck.exe	124
PID 1392 wrote to memory of 1904	1392	ygbgbck.exe	124
PID 1904 wrote to memory of 1996	1904	cmd.exe	126
PID 1904 wrote to memory of 1996	1904	cmd.exe	126
PID 1904 wrote to memory of 1996	1904	cmd.exe	126
PID 1392 wrote to memory of 4440	1392	ygbgbck.exe	127
PID 1392 wrote to memory of 4440	1392	ygbgbck.exe	127
PID 1392 wrote to memory of 4440	1392	ygbgbck.exe	127
PID 4440 wrote to memory of 4732	4440	cmd.exe	129
PID 4440 wrote to memory of 4732	4440	cmd.exe	129
PID 4440 wrote to memory of 4732	4440	cmd.exe	129
PID 1392 wrote to memory of 1988	1392	ygbgbck.exe	130
PID 1392 wrote to memory of 1988	1392	ygbgbck.exe	130
PID 1392 wrote to memory of 1988	1392	ygbgbck.exe	130
PID 1988 wrote to memory of 4188	1988	cmd.exe	132
PID 1988 wrote to memory of 4188	1988	cmd.exe	132
PID 1988 wrote to memory of 4188	1988	cmd.exe	132
PID 1392 wrote to memory of 4348	1392	ygbgbck.exe	134
PID 1392 wrote to memory of 4348	1392	ygbgbck.exe	134
PID 1392 wrote to memory of 4348	1392	ygbgbck.exe	134
PID 4348 wrote to memory of 4656	4348	cmd.exe	136
PID 4348 wrote to memory of 4656	4348	cmd.exe	136
PID 4348 wrote to memory of 4656	4348	cmd.exe	136
PID 1392 wrote to memory of 468	1392	ygbgbck.exe	137
PID 1392 wrote to memory of 468	1392	ygbgbck.exe	137
PID 1392 wrote to memory of 468	1392	ygbgbck.exe	137
PID 468 wrote to memory of 3552	468	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_c6027df3abfdbfe21d6bb6cc6254e9c7_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\giupekdq\ygbgbck.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1936
- - C:\Windows\giupekdq\ygbgbck.exe
    C:\Windows\giupekdq\ygbgbck.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3148

C:\Windows\giupekdq\ygbgbck.exe
C:\Windows\giupekdq\ygbgbck.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\giupekdq\auzowleaxqrkzap25471.exe
  C:\Windows\giupekdq\auzowleaxqrkzap25471.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 161.97.219.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 161.97.219.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 163.172.168.171
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 163.172.168.171
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 94.103.153.176
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 94.103.153.176
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.192.71.13
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.192.71.13
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 178.63.116.152
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 178.63.116.152
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.77.227.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.77.227.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 188.226.146.136
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 188.226.146.136
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.75.173.177
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.75.173.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 79.124.7.81
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 79.124.7.81
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 144.76.103.143
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3176
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 144.76.103.143
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 5.132.191.104
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 5.132.191.104
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 13.239.157.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 13.239.157.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:64
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.148.83.241
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4824
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.148.83.241
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 165.227.40.43
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3564
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 165.227.40.43
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.204.111
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3148
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.204.111
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.205.47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4464
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.205.47
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 198.100.148.224
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4156
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 198.100.148.224
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 159.203.38.175
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 159.203.38.175
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 66.70.228.164
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3604
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 66.70.228.164
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.254.25.115
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.254.25.115
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 185.84.81.194
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3248
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 185.84.81.194
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\giupekdq\auzowleaxqrkzap25471.exe

Filesize
69KB

MD5
8a761ad0a469caa921b8a1bdb989b9d1

SHA1
4584c31d116e15f402cc17122edd304eb6c95b2e

SHA256
875abc09f1abc43dfcc8a9c2a5e541c9a8bcaf33a4e8faa20c58947f8c8b56fa

SHA512
d2e541a9a245ea883b54e06583c5db4532e042e333f633e9dc20a1fd5d8d11c46a283274bcde0f972234a63f95e518a27da50f34a1899d88a398bbeb76cb371f

Download Submit
C:\Windows\giupekdq\ygbgbck.exe

Filesize
11.4MB

MD5
b0ca6fc4cc06843df141dcc18f03bc17

SHA1
4d3c246b9e3c3f07aaba514a0d5440d705972e81

SHA256
57fdea933806a17363a71327ec497fc4b634a123ff27d67233bd75b618ca7eb9

SHA512
6200485e421fb46710ec318b7dfd4e6843f224b3f68d1c23fa446ee0ea3e29b7e8cd3c074d947f34246ab5ca32705a3074036ce5c9a479a8e335affc707c12cf

Download Submit
memory/1568-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1568-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3020-0-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/3020-4-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/3148-8-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download