blackmoon | acac7cc22d5f44bb386a48dd023c61e294012fee1ac8655403f093106e414685

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2025, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

11.5MB
MD5

70d9a6b536a493fd7d595a0528cb45a0
SHA1

916464e96c1bd20dc2c313191bda72bcf98931c8
SHA256

acac7cc22d5f44bb386a48dd023c61e294012fee1ac8655403f093106e414685
SHA512

2ef2e9db626182018983aef0cb4308f35c4497b6784621c6c13099acc1fff0875b4b54b8b942e0c30a12710a54a6c0c5229f3af76ffc5a2c5109fc191858d764
SSDEEP

196608:9EaOk2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YKmknGzwHIPHd9H:95nEwl1CPwDv3uFY43v13uFnCPwa/VWH

Score

10^/10

blackmoon mimikatz banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

resource	yara_rule
behavioral2/memory/3184-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral2/memory/3184-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral2/files/0x001a00000002b14a-6.dat	family_blackmoon
behavioral2/memory/4892-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral2/memory/940-16-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon
behavioral2/memory/940-18-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral2/memory/3184-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral2/memory/3184-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral2/files/0x001a00000002b14a-6.dat	mimikatz
behavioral2/memory/4892-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	eijregc.exe

Executes dropped EXE 3 IoCs

pid	Process
4892	eijregc.exe
1544	eijregc.exe
940	xojkuvpitefgzat10649.exe

Unexpected DNS network traffic destination 62 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	38	13.239.157.177	3660	nslookup.exe
Destination IP	64	185.84.81.194	1224	nslookup.exe
Destination IP	67	185.84.81.194	1224	nslookup.exe
Destination IP	60	66.70.228.164	1672	nslookup.exe
Destination IP	48	142.4.204.111	5604	nslookup.exe
Destination IP	57	159.203.38.175	2508	nslookup.exe
Destination IP	62	51.254.25.115	2524	nslookup.exe
Destination IP	66	185.84.81.194	1224	nslookup.exe
Destination IP	68	89.40.116.230	1576	nslookup.exe
Destination IP	54	198.100.148.224	4724	nslookup.exe
Destination IP	42	207.148.83.241	1484	nslookup.exe
Destination IP	45	165.227.40.43	4844	nslookup.exe
Destination IP	46	165.227.40.43	4844	nslookup.exe
Destination IP	56	159.203.38.175	2508	nslookup.exe
Destination IP	61	66.70.228.164	1672	nslookup.exe
Destination IP	16	178.63.116.152	4248	nslookup.exe
Destination IP	50	142.4.205.47	2100	nslookup.exe
Destination IP	15	207.192.71.13	4496	nslookup.exe
Destination IP	34	144.76.103.143	1944	nslookup.exe
Destination IP	44	165.227.40.43	4844	nslookup.exe
Destination IP	31	79.124.7.81	5036	nslookup.exe
Destination IP	4	161.97.219.84	1088	nslookup.exe
Destination IP	10	94.103.153.176	4380	nslookup.exe
Destination IP	11	94.103.153.176	4380	nslookup.exe
Destination IP	58	159.203.38.175	2508	nslookup.exe
Destination IP	63	51.254.25.115	2524	nslookup.exe
Destination IP	13	207.192.71.13	4496	nslookup.exe
Destination IP	18	178.63.116.152	4248	nslookup.exe
Destination IP	19	51.77.227.84	6004	nslookup.exe
Destination IP	23	188.226.146.136	2216	nslookup.exe
Destination IP	28	51.75.173.177	2160	nslookup.exe
Destination IP	29	79.124.7.81	5036	nslookup.exe
Destination IP	52	142.4.205.47	2100	nslookup.exe
Destination IP	36	5.132.191.104	808	nslookup.exe
Destination IP	51	142.4.205.47	2100	nslookup.exe
Destination IP	7	163.172.168.171	4988	nslookup.exe
Destination IP	9	163.172.168.171	4988	nslookup.exe
Destination IP	20	51.77.227.84	6004	nslookup.exe
Destination IP	49	142.4.204.111	5604	nslookup.exe
Destination IP	27	51.75.173.177	2160	nslookup.exe
Destination IP	3	161.97.219.84	1088	nslookup.exe
Destination IP	8	163.172.168.171	4988	nslookup.exe
Destination IP	14	207.192.71.13	4496	nslookup.exe
Destination IP	22	188.226.146.136	2216	nslookup.exe
Destination IP	24	188.226.146.136	2216	nslookup.exe
Destination IP	2	161.97.219.84	1088	nslookup.exe
Destination IP	12	94.103.153.176	4380	nslookup.exe
Destination IP	17	178.63.116.152	4248	nslookup.exe
Destination IP	30	79.124.7.81	5036	nslookup.exe
Destination IP	32	144.76.103.143	1944	nslookup.exe
Destination IP	35	5.132.191.104	808	nslookup.exe
Destination IP	33	144.76.103.143	1944	nslookup.exe
Destination IP	21	51.77.227.84	6004	nslookup.exe
Destination IP	39	13.239.157.177	3660	nslookup.exe
Destination IP	43	207.148.83.241	1484	nslookup.exe
Destination IP	47	142.4.204.111	5604	nslookup.exe
Destination IP	53	198.100.148.224	4724	nslookup.exe
Destination IP	55	198.100.148.224	4724	nslookup.exe
Destination IP	26	51.75.173.177	2160	nslookup.exe
Destination IP	40	207.148.83.241	1484	nslookup.exe
Destination IP	59	66.70.228.164	1672	nslookup.exe
Destination IP	37	13.239.157.177	3660	nslookup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001a00000002b14b-13.dat	upx
behavioral2/memory/940-16-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/940-18-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\mksqftaf\eijregc.exe	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\mksqftaf\eijregc.exe	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File created	C:\Windows\mksqftaf\xojkuvpitefgzat10649.exe	eijregc.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eijregc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eijregc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3984	PING.EXE
3784	cmd.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x001a00000002b14a-6.dat	nsis_installer_2

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3984	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe
940	xojkuvpitefgzat10649.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3184	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3184	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	4892	eijregc.exe
Token: SeDebugPrivilege	1544	eijregc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3184	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
4892	eijregc.exe
1544	eijregc.exe
940	xojkuvpitefgzat10649.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 3784	3184	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	79
PID 3184 wrote to memory of 3784	3184	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	79
PID 3184 wrote to memory of 3784	3184	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	79
PID 3784 wrote to memory of 3984	3784	cmd.exe	81
PID 3784 wrote to memory of 3984	3784	cmd.exe	81
PID 3784 wrote to memory of 3984	3784	cmd.exe	81
PID 3784 wrote to memory of 4892	3784	cmd.exe	82
PID 3784 wrote to memory of 4892	3784	cmd.exe	82
PID 3784 wrote to memory of 4892	3784	cmd.exe	82
PID 1544 wrote to memory of 940	1544	eijregc.exe	84
PID 1544 wrote to memory of 940	1544	eijregc.exe	84
PID 1544 wrote to memory of 940	1544	eijregc.exe	84
PID 1544 wrote to memory of 2052	1544	eijregc.exe	85
PID 1544 wrote to memory of 2052	1544	eijregc.exe	85
PID 1544 wrote to memory of 2052	1544	eijregc.exe	85
PID 2052 wrote to memory of 1088	2052	cmd.exe	87
PID 2052 wrote to memory of 1088	2052	cmd.exe	87
PID 2052 wrote to memory of 1088	2052	cmd.exe	87
PID 1544 wrote to memory of 2132	1544	eijregc.exe	88
PID 1544 wrote to memory of 2132	1544	eijregc.exe	88
PID 1544 wrote to memory of 2132	1544	eijregc.exe	88
PID 2132 wrote to memory of 4988	2132	cmd.exe	90
PID 2132 wrote to memory of 4988	2132	cmd.exe	90
PID 2132 wrote to memory of 4988	2132	cmd.exe	90
PID 1544 wrote to memory of 5020	1544	eijregc.exe	91
PID 1544 wrote to memory of 5020	1544	eijregc.exe	91
PID 1544 wrote to memory of 5020	1544	eijregc.exe	91
PID 5020 wrote to memory of 4380	5020	cmd.exe	93
PID 5020 wrote to memory of 4380	5020	cmd.exe	93
PID 5020 wrote to memory of 4380	5020	cmd.exe	93
PID 1544 wrote to memory of 532	1544	eijregc.exe	94
PID 1544 wrote to memory of 532	1544	eijregc.exe	94
PID 1544 wrote to memory of 532	1544	eijregc.exe	94
PID 532 wrote to memory of 4496	532	cmd.exe	96
PID 532 wrote to memory of 4496	532	cmd.exe	96
PID 532 wrote to memory of 4496	532	cmd.exe	96
PID 1544 wrote to memory of 6036	1544	eijregc.exe	97
PID 1544 wrote to memory of 6036	1544	eijregc.exe	97
PID 1544 wrote to memory of 6036	1544	eijregc.exe	97
PID 6036 wrote to memory of 4248	6036	cmd.exe	99
PID 6036 wrote to memory of 4248	6036	cmd.exe	99
PID 6036 wrote to memory of 4248	6036	cmd.exe	99
PID 1544 wrote to memory of 1772	1544	eijregc.exe	100
PID 1544 wrote to memory of 1772	1544	eijregc.exe	100
PID 1544 wrote to memory of 1772	1544	eijregc.exe	100
PID 1772 wrote to memory of 6004	1772	cmd.exe	102
PID 1772 wrote to memory of 6004	1772	cmd.exe	102
PID 1772 wrote to memory of 6004	1772	cmd.exe	102
PID 1544 wrote to memory of 5180	1544	eijregc.exe	103
PID 1544 wrote to memory of 5180	1544	eijregc.exe	103
PID 1544 wrote to memory of 5180	1544	eijregc.exe	103
PID 5180 wrote to memory of 2216	5180	cmd.exe	105
PID 5180 wrote to memory of 2216	5180	cmd.exe	105
PID 5180 wrote to memory of 2216	5180	cmd.exe	105
PID 1544 wrote to memory of 8	1544	eijregc.exe	106
PID 1544 wrote to memory of 8	1544	eijregc.exe	106
PID 1544 wrote to memory of 8	1544	eijregc.exe	106
PID 8 wrote to memory of 2160	8	cmd.exe	108
PID 8 wrote to memory of 2160	8	cmd.exe	108
PID 8 wrote to memory of 2160	8	cmd.exe	108
PID 1544 wrote to memory of 1060	1544	eijregc.exe	109
PID 1544 wrote to memory of 1060	1544	eijregc.exe	109
PID 1544 wrote to memory of 1060	1544	eijregc.exe	109
PID 1060 wrote to memory of 5036	1060	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\mksqftaf\eijregc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3984
- - C:\Windows\mksqftaf\eijregc.exe
    C:\Windows\mksqftaf\eijregc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4892

C:\Windows\mksqftaf\eijregc.exe
C:\Windows\mksqftaf\eijregc.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\mksqftaf\xojkuvpitefgzat10649.exe
  C:\Windows\mksqftaf\xojkuvpitefgzat10649.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 161.97.219.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 161.97.219.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 163.172.168.171
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 163.172.168.171
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 94.103.153.176
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 94.103.153.176
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.192.71.13
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.192.71.13
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 178.63.116.152
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6036
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 178.63.116.152
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.77.227.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.77.227.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 188.226.146.136
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5180
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 188.226.146.136
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.75.173.177
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.75.173.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 79.124.7.81
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 79.124.7.81
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 144.76.103.143
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5136
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 144.76.103.143
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 5.132.191.104
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6072
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 5.132.191.104
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 13.239.157.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4508
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 13.239.157.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.148.83.241
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5848
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.148.83.241
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 165.227.40.43
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5484
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 165.227.40.43
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.204.111
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.204.111
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.205.47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5104
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.205.47
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 198.100.148.224
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4672
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 198.100.148.224
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 159.203.38.175
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3436
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 159.203.38.175
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 66.70.228.164
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 66.70.228.164
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.254.25.115
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5692
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.254.25.115
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 185.84.81.194
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 185.84.81.194
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 89.40.116.230
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6048
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 89.40.116.230
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1576

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mksqftaf\eijregc.exe

Filesize
11.6MB

MD5
144d40ccb37f2d28612f5f3ab5377b2e

SHA1
8dfc05bd61f70cd987c9522397be824584b7f925

SHA256
c95328a89a1e989731629580fe72764ca6e7add129dce448fd01c844b01c3394

SHA512
36b243e6442e6e53389cdd827fc98ced40e7950f7b34f500c9d9a29e836a6f661e656abd36c8ee9572f81318fe8cff6f25d9caf4e30f7dfd3ed26f0c496d4579

Download Submit
C:\Windows\mksqftaf\xojkuvpitefgzat10649.exe

Filesize
69KB

MD5
8a761ad0a469caa921b8a1bdb989b9d1

SHA1
4584c31d116e15f402cc17122edd304eb6c95b2e

SHA256
875abc09f1abc43dfcc8a9c2a5e541c9a8bcaf33a4e8faa20c58947f8c8b56fa

SHA512
d2e541a9a245ea883b54e06583c5db4532e042e333f633e9dc20a1fd5d8d11c46a283274bcde0f972234a63f95e518a27da50f34a1899d88a398bbeb76cb371f

Download Submit
memory/940-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/940-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3184-0-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/3184-4-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/4892-8-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download