Analysis
-
max time kernel
107s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2023 21:41
Static task
static1
Behavioral task
behavioral1
Sample
aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe
Resource
win10v2004-20230221-en
General
-
Target
aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe
-
Size
1.0MB
-
MD5
285b36cc0facb9bfc69a4b4398419057
-
SHA1
f046b8fdaa416ce58e7f67ee73478818c8e6bc0e
-
SHA256
aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0
-
SHA512
119cf917ed694c6b642c4f8146711b17c797fb43a5cb56583cff261a86bbb900aacd6cf272d4f6d5b18901a56522aedd4a3706dff1be52e04dd1752bbae8b826
-
SSDEEP
12288:OMr2y90A6ViF7vrqYfWkIhqHULZOovUJHdsIydEg4fV/ZWZi1D/ww+z10jtjTc8r:IyaVkAZOVJHKIy9a2i1D4wfTh
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
build_main
80.85.156.168:20189
-
auth_value
5e5c9cacc6d168f8ade7fb6419edb114
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4472-1211-0x0000000002A00000-0x0000000002A1C000-memory.dmp family_rhadamanthys behavioral1/memory/4472-1216-0x0000000002A00000-0x0000000002A1C000-memory.dmp family_rhadamanthys -
Processes:
mx9846Fz.exens9895Ro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mx9846Fz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx9846Fz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns9895Ro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns9895Ro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns9895Ro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx9846Fz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx9846Fz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx9846Fz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx9846Fz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ns9895Ro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns9895Ro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns9895Ro.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/4900-214-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-213-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-217-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-219-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-221-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-223-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-225-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-227-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-229-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-231-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-233-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-235-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-237-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-239-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-241-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-243-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-247-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline behavioral1/memory/4900-245-0x0000000004D70000-0x0000000004DAE000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 1388 created 2620 1388 KMuffPQJRlr6.exe taskhostw.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ry83vJ95.exelegenda.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation ry83vJ95.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation legenda.exe -
Executes dropped EXE 12 IoCs
Processes:
will3637.exewill2219.exewill0579.exemx9846Fz.exens9895Ro.exepy86eK64.exeqs3438OK.exery83vJ95.exelegenda.exeKMuffPQJRlr6.exesvchost.exelegenda.exepid process 4292 will3637.exe 3136 will2219.exe 4620 will0579.exe 2156 mx9846Fz.exe 1908 ns9895Ro.exe 4900 py86eK64.exe 636 qs3438OK.exe 3088 ry83vJ95.exe 444 legenda.exe 1388 KMuffPQJRlr6.exe 4628 svchost.exe 5112 legenda.exe -
Loads dropped DLL 2 IoCs
Processes:
KMuffPQJRlr6.exerundll32.exepid process 1388 KMuffPQJRlr6.exe 4704 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ns9895Ro.exemx9846Fz.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns9895Ro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns9895Ro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx9846Fz.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exewill3637.exewill2219.exewill0579.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will3637.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will3637.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will2219.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will2219.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will0579.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" will0579.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 4472 fontview.exe 4472 fontview.exe 4472 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 1388 set thread context of 2456 1388 KMuffPQJRlr6.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2420 4900 WerFault.exe py86eK64.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
mx9846Fz.exens9895Ro.exepy86eK64.exeqs3438OK.exeKMuffPQJRlr6.exengentask.exepid process 2156 mx9846Fz.exe 2156 mx9846Fz.exe 1908 ns9895Ro.exe 1908 ns9895Ro.exe 4900 py86eK64.exe 4900 py86eK64.exe 636 qs3438OK.exe 636 qs3438OK.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 1388 KMuffPQJRlr6.exe 2456 ngentask.exe 2456 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
mx9846Fz.exens9895Ro.exepy86eK64.exeqs3438OK.exengentask.exefontview.exedescription pid process Token: SeDebugPrivilege 2156 mx9846Fz.exe Token: SeDebugPrivilege 1908 ns9895Ro.exe Token: SeDebugPrivilege 4900 py86eK64.exe Token: SeDebugPrivilege 636 qs3438OK.exe Token: SeDebugPrivilege 2456 ngentask.exe Token: SeShutdownPrivilege 4472 fontview.exe Token: SeCreatePagefilePrivilege 4472 fontview.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exewill3637.exewill2219.exewill0579.exery83vJ95.exelegenda.execmd.exeKMuffPQJRlr6.exedescription pid process target process PID 4284 wrote to memory of 4292 4284 aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe will3637.exe PID 4284 wrote to memory of 4292 4284 aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe will3637.exe PID 4284 wrote to memory of 4292 4284 aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe will3637.exe PID 4292 wrote to memory of 3136 4292 will3637.exe will2219.exe PID 4292 wrote to memory of 3136 4292 will3637.exe will2219.exe PID 4292 wrote to memory of 3136 4292 will3637.exe will2219.exe PID 3136 wrote to memory of 4620 3136 will2219.exe will0579.exe PID 3136 wrote to memory of 4620 3136 will2219.exe will0579.exe PID 3136 wrote to memory of 4620 3136 will2219.exe will0579.exe PID 4620 wrote to memory of 2156 4620 will0579.exe mx9846Fz.exe PID 4620 wrote to memory of 2156 4620 will0579.exe mx9846Fz.exe PID 4620 wrote to memory of 1908 4620 will0579.exe ns9895Ro.exe PID 4620 wrote to memory of 1908 4620 will0579.exe ns9895Ro.exe PID 4620 wrote to memory of 1908 4620 will0579.exe ns9895Ro.exe PID 3136 wrote to memory of 4900 3136 will2219.exe py86eK64.exe PID 3136 wrote to memory of 4900 3136 will2219.exe py86eK64.exe PID 3136 wrote to memory of 4900 3136 will2219.exe py86eK64.exe PID 4292 wrote to memory of 636 4292 will3637.exe qs3438OK.exe PID 4292 wrote to memory of 636 4292 will3637.exe qs3438OK.exe PID 4292 wrote to memory of 636 4292 will3637.exe qs3438OK.exe PID 4284 wrote to memory of 3088 4284 aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe ry83vJ95.exe PID 4284 wrote to memory of 3088 4284 aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe ry83vJ95.exe PID 4284 wrote to memory of 3088 4284 aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe ry83vJ95.exe PID 3088 wrote to memory of 444 3088 ry83vJ95.exe legenda.exe PID 3088 wrote to memory of 444 3088 ry83vJ95.exe legenda.exe PID 3088 wrote to memory of 444 3088 ry83vJ95.exe legenda.exe PID 444 wrote to memory of 2708 444 legenda.exe schtasks.exe PID 444 wrote to memory of 2708 444 legenda.exe schtasks.exe PID 444 wrote to memory of 2708 444 legenda.exe schtasks.exe PID 444 wrote to memory of 3960 444 legenda.exe cmd.exe PID 444 wrote to memory of 3960 444 legenda.exe cmd.exe PID 444 wrote to memory of 3960 444 legenda.exe cmd.exe PID 3960 wrote to memory of 1656 3960 cmd.exe cmd.exe PID 3960 wrote to memory of 1656 3960 cmd.exe cmd.exe PID 3960 wrote to memory of 1656 3960 cmd.exe cmd.exe PID 3960 wrote to memory of 1700 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 1700 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 1700 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 4532 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 4532 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 4532 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 2448 3960 cmd.exe cmd.exe PID 3960 wrote to memory of 2448 3960 cmd.exe cmd.exe PID 3960 wrote to memory of 2448 3960 cmd.exe cmd.exe PID 3960 wrote to memory of 1616 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 1616 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 1616 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 2308 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 2308 3960 cmd.exe cacls.exe PID 3960 wrote to memory of 2308 3960 cmd.exe cacls.exe PID 444 wrote to memory of 1388 444 legenda.exe KMuffPQJRlr6.exe PID 444 wrote to memory of 1388 444 legenda.exe KMuffPQJRlr6.exe PID 444 wrote to memory of 1388 444 legenda.exe KMuffPQJRlr6.exe PID 444 wrote to memory of 4628 444 legenda.exe svchost.exe PID 444 wrote to memory of 4628 444 legenda.exe svchost.exe PID 444 wrote to memory of 4628 444 legenda.exe svchost.exe PID 1388 wrote to memory of 2456 1388 KMuffPQJRlr6.exe ngentask.exe PID 1388 wrote to memory of 2456 1388 KMuffPQJRlr6.exe ngentask.exe PID 1388 wrote to memory of 2456 1388 KMuffPQJRlr6.exe ngentask.exe PID 1388 wrote to memory of 2456 1388 KMuffPQJRlr6.exe ngentask.exe PID 1388 wrote to memory of 2456 1388 KMuffPQJRlr6.exe ngentask.exe PID 1388 wrote to memory of 4472 1388 KMuffPQJRlr6.exe fontview.exe PID 1388 wrote to memory of 4472 1388 KMuffPQJRlr6.exe fontview.exe PID 1388 wrote to memory of 4472 1388 KMuffPQJRlr6.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2620
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe"C:\Users\Admin\AppData\Local\Temp\aaab17759214d18fc1f87b5c35c0ba96be689eca624e2b76b5b01cb5b5844ab0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will3637.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2219.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will0579.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx9846Fz.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns9895Ro.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py86eK64.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 13125⤵
- Program crash
PID:2420
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs3438OK.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry83vJ95.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F4⤵
- Creates scheduled task(s)
PID:2708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1656
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:N"5⤵PID:1700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:R" /E5⤵PID:4532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2448
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:N"5⤵PID:1616
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:R" /E5⤵PID:2308
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"4⤵
- Executes dropped EXE
PID:4628
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4704
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4900 -ip 49001⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:5112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
334KB
MD5098a4aa93e275de54bbc35ae4b981301
SHA1d03646dc7c63e0784393f74085405c794b8555af
SHA2565e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA5122e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
852KB
MD531043375de02867b4aa7b463e03b208b
SHA1995817f616ed36454ac599972f9aeb5ab78b527b
SHA25687da24875b20fdddcfa17ac87dc9466f8df1a2114d4300119895915e1ac917e0
SHA512b5faea84dc1cc75af3ab06c0f3f68df8b0d86d5e9cc3b1add251bb217ebc1ccd9104c302cef8f4c191d8ffc036cd8ff81be5435ffb57f25ac860ab93c1bb5414
-
Filesize
852KB
MD531043375de02867b4aa7b463e03b208b
SHA1995817f616ed36454ac599972f9aeb5ab78b527b
SHA25687da24875b20fdddcfa17ac87dc9466f8df1a2114d4300119895915e1ac917e0
SHA512b5faea84dc1cc75af3ab06c0f3f68df8b0d86d5e9cc3b1add251bb217ebc1ccd9104c302cef8f4c191d8ffc036cd8ff81be5435ffb57f25ac860ab93c1bb5414
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
707KB
MD5a322e2c74393f62ddc83481852841ce4
SHA1504f86eb696128a761bdbe4a02d161b615798b3a
SHA256db2ae494ad5ebe803bc8337c70f78810408f1748cbab711bd010a543fd3e0279
SHA5121d14c1a2e5d3d382aff8963312f611bf61657c1186b627641cb1cc324daaf9a6024fa8a2f2752b133dd4b76a6e33906e3f08e44a36dee4683a892d3c4f0349b2
-
Filesize
707KB
MD5a322e2c74393f62ddc83481852841ce4
SHA1504f86eb696128a761bdbe4a02d161b615798b3a
SHA256db2ae494ad5ebe803bc8337c70f78810408f1748cbab711bd010a543fd3e0279
SHA5121d14c1a2e5d3d382aff8963312f611bf61657c1186b627641cb1cc324daaf9a6024fa8a2f2752b133dd4b76a6e33906e3f08e44a36dee4683a892d3c4f0349b2
-
Filesize
391KB
MD563dcda13c6b7020f7b7f5ae86805e147
SHA1f30f082bbe2d5847c04a0abb1186eb6946c9c8a1
SHA256029a5e35b849959de4134307fd5c309a5348354491774b8120bf1d7d98afd7b6
SHA51233553a064493b8d278657ad75f6acbd036738f500af1f3ed4c2d6dd62d44b7741fb6637264ebd1ab0a0076dbb1b69dfa356aa82f3c4cb2bbf237aee506c1fa2b
-
Filesize
391KB
MD563dcda13c6b7020f7b7f5ae86805e147
SHA1f30f082bbe2d5847c04a0abb1186eb6946c9c8a1
SHA256029a5e35b849959de4134307fd5c309a5348354491774b8120bf1d7d98afd7b6
SHA51233553a064493b8d278657ad75f6acbd036738f500af1f3ed4c2d6dd62d44b7741fb6637264ebd1ab0a0076dbb1b69dfa356aa82f3c4cb2bbf237aee506c1fa2b
-
Filesize
354KB
MD5e6484b0faf3acec4f90dae38af51d220
SHA1f60f6c8172e849468a813a2f8a429496ecdbd760
SHA256643e4c5ee272a26038a0f505025d2149a6f7343c4ddd933c465617871c6a89ae
SHA512b5afe33ae9450c9a08dfb108d464a2d13b76611f081675036f4265ae054cad56a4b1e6aa52d3e4c82287a0435e15525e6179e742be16e085e8a679df18f26872
-
Filesize
354KB
MD5e6484b0faf3acec4f90dae38af51d220
SHA1f60f6c8172e849468a813a2f8a429496ecdbd760
SHA256643e4c5ee272a26038a0f505025d2149a6f7343c4ddd933c465617871c6a89ae
SHA512b5afe33ae9450c9a08dfb108d464a2d13b76611f081675036f4265ae054cad56a4b1e6aa52d3e4c82287a0435e15525e6179e742be16e085e8a679df18f26872
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD502f7997c083388579222546f4d0a121a
SHA1670fa35ae642eead02ace76f948f5d4387460cfa
SHA2563c2c908bcd780a3701a2afe69e282958d1c6d8cb408acaa47af9b5fbfeedb7fc
SHA512076a0ecd8f8a32fa1307cba03d71129b3ab6f1ffefb20ecbd739e7932b6886bc16e90da813b01d23a5086c220a100fc8aa723449d7aacd176bec9247c058302b
-
Filesize
333KB
MD502f7997c083388579222546f4d0a121a
SHA1670fa35ae642eead02ace76f948f5d4387460cfa
SHA2563c2c908bcd780a3701a2afe69e282958d1c6d8cb408acaa47af9b5fbfeedb7fc
SHA512076a0ecd8f8a32fa1307cba03d71129b3ab6f1ffefb20ecbd739e7932b6886bc16e90da813b01d23a5086c220a100fc8aa723449d7aacd176bec9247c058302b
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
223B
MD594cbeec5d4343918fd0e48760e40539c
SHA1a049266c5c1131f692f306c8710d7e72586ae79d
SHA25648eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA5124e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0