Analysis
-
max time kernel
98s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
18-03-2023 23:17
Static task
static1
Behavioral task
behavioral1
Sample
f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe
Resource
win10-20230220-en
General
-
Target
f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe
-
Size
1.0MB
-
MD5
d9effca3f25d88d0a83094b337160f10
-
SHA1
c5d15f03bbec5d7d7dc21e74af943dfb218b2b89
-
SHA256
f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2
-
SHA512
8c56a46d690a388221644c16080a1a96518d0a76233631874c9c8b7b1530e032ce34e276499d0507d680077b342746021b8f05bf6bcdb2ebbc0477519d655af6
-
SSDEEP
24576:2ytCVJq5wFlWVvtBHjIDbYbhPkItF0VlN:FITq5w0IDbYbBxF0f
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
build_main
80.85.156.168:20189
-
auth_value
5e5c9cacc6d168f8ade7fb6419edb114
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4308-1217-0x0000000002C60000-0x0000000002C7C000-memory.dmp family_rhadamanthys behavioral1/memory/416-1236-0x00000000008B0000-0x00000000008CC000-memory.dmp family_rhadamanthys behavioral1/memory/4308-1238-0x0000000002C60000-0x0000000002C7C000-memory.dmp family_rhadamanthys -
Processes:
mx1378Ka.exens6194Gy.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx1378Ka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx1378Ka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns6194Gy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns6194Gy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns6194Gy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx1378Ka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx1378Ka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx1378Ka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns6194Gy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns6194Gy.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 23 IoCs
Processes:
resource yara_rule behavioral1/memory/4672-200-0x00000000046A0000-0x00000000046E6000-memory.dmp family_redline behavioral1/memory/4672-201-0x00000000075F0000-0x0000000007634000-memory.dmp family_redline behavioral1/memory/4672-202-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-203-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-205-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-207-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-209-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-211-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-213-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-215-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-217-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-219-0x00000000070E0000-0x00000000070F0000-memory.dmp family_redline behavioral1/memory/4672-221-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-224-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-226-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-228-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-230-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-232-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-234-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-236-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-238-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/4672-1119-0x00000000070E0000-0x00000000070F0000-memory.dmp family_redline behavioral1/memory/4672-1120-0x00000000070E0000-0x00000000070F0000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 5000 created 3044 5000 KMuffPQJRlr6.exe taskhostw.exe -
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
Processes:
will8321.exewill3101.exewill8190.exemx1378Ka.exens6194Gy.exepy53vI94.exeqs8870ZC.exery08Ra02.exelegenda.exeKMuffPQJRlr6.exesvchost.exeserv.exepid process 3012 will8321.exe 4068 will3101.exe 3444 will8190.exe 4176 mx1378Ka.exe 1536 ns6194Gy.exe 4672 py53vI94.exe 4968 qs8870ZC.exe 4656 ry08Ra02.exe 4840 legenda.exe 5000 KMuffPQJRlr6.exe 5092 svchost.exe 4308 serv.exe -
Loads dropped DLL 1 IoCs
Processes:
KMuffPQJRlr6.exepid process 5000 KMuffPQJRlr6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mx1378Ka.exens6194Gy.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx1378Ka.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns6194Gy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns6194Gy.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exewill8321.exewill3101.exewill8190.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will8321.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will8321.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will3101.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will3101.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will8190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" will8190.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
serv.exepid process 4308 serv.exe 4308 serv.exe 4308 serv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 5000 set thread context of 5040 5000 KMuffPQJRlr6.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3064 5000 WerFault.exe KMuffPQJRlr6.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
serv.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 serv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
mx1378Ka.exens6194Gy.exepy53vI94.exeqs8870ZC.exeKMuffPQJRlr6.exengentask.exepid process 4176 mx1378Ka.exe 4176 mx1378Ka.exe 1536 ns6194Gy.exe 1536 ns6194Gy.exe 4672 py53vI94.exe 4672 py53vI94.exe 4968 qs8870ZC.exe 4968 qs8870ZC.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5000 KMuffPQJRlr6.exe 5040 ngentask.exe 5040 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mx1378Ka.exens6194Gy.exepy53vI94.exeqs8870ZC.exengentask.exewmic.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4176 mx1378Ka.exe Token: SeDebugPrivilege 1536 ns6194Gy.exe Token: SeDebugPrivilege 4672 py53vI94.exe Token: SeDebugPrivilege 4968 qs8870ZC.exe Token: SeDebugPrivilege 5040 ngentask.exe Token: SeIncreaseQuotaPrivilege 2100 wmic.exe Token: SeSecurityPrivilege 2100 wmic.exe Token: SeTakeOwnershipPrivilege 2100 wmic.exe Token: SeLoadDriverPrivilege 2100 wmic.exe Token: SeSystemProfilePrivilege 2100 wmic.exe Token: SeSystemtimePrivilege 2100 wmic.exe Token: SeProfSingleProcessPrivilege 2100 wmic.exe Token: SeIncBasePriorityPrivilege 2100 wmic.exe Token: SeCreatePagefilePrivilege 2100 wmic.exe Token: SeBackupPrivilege 2100 wmic.exe Token: SeRestorePrivilege 2100 wmic.exe Token: SeShutdownPrivilege 2100 wmic.exe Token: SeDebugPrivilege 2100 wmic.exe Token: SeSystemEnvironmentPrivilege 2100 wmic.exe Token: SeRemoteShutdownPrivilege 2100 wmic.exe Token: SeUndockPrivilege 2100 wmic.exe Token: SeManageVolumePrivilege 2100 wmic.exe Token: 33 2100 wmic.exe Token: 34 2100 wmic.exe Token: 35 2100 wmic.exe Token: 36 2100 wmic.exe Token: SeIncreaseQuotaPrivilege 2100 wmic.exe Token: SeSecurityPrivilege 2100 wmic.exe Token: SeTakeOwnershipPrivilege 2100 wmic.exe Token: SeLoadDriverPrivilege 2100 wmic.exe Token: SeSystemProfilePrivilege 2100 wmic.exe Token: SeSystemtimePrivilege 2100 wmic.exe Token: SeProfSingleProcessPrivilege 2100 wmic.exe Token: SeIncBasePriorityPrivilege 2100 wmic.exe Token: SeCreatePagefilePrivilege 2100 wmic.exe Token: SeBackupPrivilege 2100 wmic.exe Token: SeRestorePrivilege 2100 wmic.exe Token: SeShutdownPrivilege 2100 wmic.exe Token: SeDebugPrivilege 2100 wmic.exe Token: SeSystemEnvironmentPrivilege 2100 wmic.exe Token: SeRemoteShutdownPrivilege 2100 wmic.exe Token: SeUndockPrivilege 2100 wmic.exe Token: SeManageVolumePrivilege 2100 wmic.exe Token: 33 2100 wmic.exe Token: 34 2100 wmic.exe Token: 35 2100 wmic.exe Token: 36 2100 wmic.exe Token: SeIncreaseQuotaPrivilege 2528 WMIC.exe Token: SeSecurityPrivilege 2528 WMIC.exe Token: SeTakeOwnershipPrivilege 2528 WMIC.exe Token: SeLoadDriverPrivilege 2528 WMIC.exe Token: SeSystemProfilePrivilege 2528 WMIC.exe Token: SeSystemtimePrivilege 2528 WMIC.exe Token: SeProfSingleProcessPrivilege 2528 WMIC.exe Token: SeIncBasePriorityPrivilege 2528 WMIC.exe Token: SeCreatePagefilePrivilege 2528 WMIC.exe Token: SeBackupPrivilege 2528 WMIC.exe Token: SeRestorePrivilege 2528 WMIC.exe Token: SeShutdownPrivilege 2528 WMIC.exe Token: SeDebugPrivilege 2528 WMIC.exe Token: SeSystemEnvironmentPrivilege 2528 WMIC.exe Token: SeRemoteShutdownPrivilege 2528 WMIC.exe Token: SeUndockPrivilege 2528 WMIC.exe Token: SeManageVolumePrivilege 2528 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exewill8321.exewill3101.exewill8190.exery08Ra02.exelegenda.execmd.exeKMuffPQJRlr6.exedescription pid process target process PID 2572 wrote to memory of 3012 2572 f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe will8321.exe PID 2572 wrote to memory of 3012 2572 f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe will8321.exe PID 2572 wrote to memory of 3012 2572 f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe will8321.exe PID 3012 wrote to memory of 4068 3012 will8321.exe will3101.exe PID 3012 wrote to memory of 4068 3012 will8321.exe will3101.exe PID 3012 wrote to memory of 4068 3012 will8321.exe will3101.exe PID 4068 wrote to memory of 3444 4068 will3101.exe will8190.exe PID 4068 wrote to memory of 3444 4068 will3101.exe will8190.exe PID 4068 wrote to memory of 3444 4068 will3101.exe will8190.exe PID 3444 wrote to memory of 4176 3444 will8190.exe mx1378Ka.exe PID 3444 wrote to memory of 4176 3444 will8190.exe mx1378Ka.exe PID 3444 wrote to memory of 1536 3444 will8190.exe ns6194Gy.exe PID 3444 wrote to memory of 1536 3444 will8190.exe ns6194Gy.exe PID 3444 wrote to memory of 1536 3444 will8190.exe ns6194Gy.exe PID 4068 wrote to memory of 4672 4068 will3101.exe py53vI94.exe PID 4068 wrote to memory of 4672 4068 will3101.exe py53vI94.exe PID 4068 wrote to memory of 4672 4068 will3101.exe py53vI94.exe PID 3012 wrote to memory of 4968 3012 will8321.exe qs8870ZC.exe PID 3012 wrote to memory of 4968 3012 will8321.exe qs8870ZC.exe PID 3012 wrote to memory of 4968 3012 will8321.exe qs8870ZC.exe PID 2572 wrote to memory of 4656 2572 f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe ry08Ra02.exe PID 2572 wrote to memory of 4656 2572 f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe ry08Ra02.exe PID 2572 wrote to memory of 4656 2572 f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe ry08Ra02.exe PID 4656 wrote to memory of 4840 4656 ry08Ra02.exe legenda.exe PID 4656 wrote to memory of 4840 4656 ry08Ra02.exe legenda.exe PID 4656 wrote to memory of 4840 4656 ry08Ra02.exe legenda.exe PID 4840 wrote to memory of 2080 4840 legenda.exe schtasks.exe PID 4840 wrote to memory of 2080 4840 legenda.exe schtasks.exe PID 4840 wrote to memory of 2080 4840 legenda.exe schtasks.exe PID 4840 wrote to memory of 4744 4840 legenda.exe cmd.exe PID 4840 wrote to memory of 4744 4840 legenda.exe cmd.exe PID 4840 wrote to memory of 4744 4840 legenda.exe cmd.exe PID 4744 wrote to memory of 3888 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 3888 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 3888 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 3564 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3564 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3564 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3464 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3464 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3464 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 4800 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 4800 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 4800 4744 cmd.exe cmd.exe PID 4744 wrote to memory of 4752 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 4752 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 4752 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3472 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3472 4744 cmd.exe cacls.exe PID 4744 wrote to memory of 3472 4744 cmd.exe cacls.exe PID 4840 wrote to memory of 5000 4840 legenda.exe KMuffPQJRlr6.exe PID 4840 wrote to memory of 5000 4840 legenda.exe KMuffPQJRlr6.exe PID 4840 wrote to memory of 5000 4840 legenda.exe KMuffPQJRlr6.exe PID 4840 wrote to memory of 5092 4840 legenda.exe svchost.exe PID 4840 wrote to memory of 5092 4840 legenda.exe svchost.exe PID 4840 wrote to memory of 5092 4840 legenda.exe svchost.exe PID 4840 wrote to memory of 4308 4840 legenda.exe serv.exe PID 4840 wrote to memory of 4308 4840 legenda.exe serv.exe PID 4840 wrote to memory of 4308 4840 legenda.exe serv.exe PID 5000 wrote to memory of 5040 5000 KMuffPQJRlr6.exe ngentask.exe PID 5000 wrote to memory of 5040 5000 KMuffPQJRlr6.exe ngentask.exe PID 5000 wrote to memory of 5040 5000 KMuffPQJRlr6.exe ngentask.exe PID 5000 wrote to memory of 5040 5000 KMuffPQJRlr6.exe ngentask.exe PID 5000 wrote to memory of 5040 5000 KMuffPQJRlr6.exe ngentask.exe
Processes
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3044
-
C:\Windows\SYSWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵PID:416
-
-
C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe"C:\Users\Admin\AppData\Local\Temp\f934c27c8c4d5cd2776c616f99553d28e723c684cd9de6dfd5f6a80d53649ea2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8321.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will3101.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8190.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx1378Ka.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns6194Gy.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py53vI94.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8870ZC.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry08Ra02.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F4⤵
- Creates scheduled task(s)
PID:2080
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3888
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:N"5⤵PID:3564
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:R" /E5⤵PID:3464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4800
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:N"5⤵PID:4752
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:R" /E5⤵PID:3472
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 7845⤵
- Program crash
PID:3064
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"4⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:660
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:2516
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:2488
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:4308
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
852KB
MD59bf44609f0414e6c7aa8b4f52a598aa7
SHA14756c4789573d29cdc5ea6cadf0a5791d8aa8e2f
SHA256710192c3bc3a34eb8a2747edb269c3b1d1f582a0cfa1669dd999b1f7db7a345e
SHA512509bd38f859be11aa943fbac8fb5ad14c0a669345a23ed5c4400fb5b7021c469d4a876e5c8d4eaba16e3b734e76a62a5766b9797cf3a0e9b338aabc241aa6af9
-
Filesize
852KB
MD59bf44609f0414e6c7aa8b4f52a598aa7
SHA14756c4789573d29cdc5ea6cadf0a5791d8aa8e2f
SHA256710192c3bc3a34eb8a2747edb269c3b1d1f582a0cfa1669dd999b1f7db7a345e
SHA512509bd38f859be11aa943fbac8fb5ad14c0a669345a23ed5c4400fb5b7021c469d4a876e5c8d4eaba16e3b734e76a62a5766b9797cf3a0e9b338aabc241aa6af9
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
707KB
MD533955a5bc1fbca0597b2e4b4f820f9d8
SHA1a75913036cbe87d487aea38024870dd23aca05a9
SHA256179ef0e1ee99de42d894eb2ccb480ef0de66ef086c9a93afee91e38de9b737b6
SHA51264ceedd75360d9d9390bf83e15a981eefc9bb20ccb5bf688ee0f320d12307d8f531258a00d537883af0c74849232416b67adfb278a5f588bbf6d7349c19ad450
-
Filesize
707KB
MD533955a5bc1fbca0597b2e4b4f820f9d8
SHA1a75913036cbe87d487aea38024870dd23aca05a9
SHA256179ef0e1ee99de42d894eb2ccb480ef0de66ef086c9a93afee91e38de9b737b6
SHA51264ceedd75360d9d9390bf83e15a981eefc9bb20ccb5bf688ee0f320d12307d8f531258a00d537883af0c74849232416b67adfb278a5f588bbf6d7349c19ad450
-
Filesize
391KB
MD539b2b07d9b232d2169440fcba5867c98
SHA1bcc08e9f5bd45436990b2e0b9ecb7408859f3a16
SHA256bd093a3c9afd5f0db449a55ff9cdc5634a33f69db82a6de068ab276f6b461c94
SHA51288cedd60a530d046a31fa07f103bb30d674214adbf22ee731e3b1abbf55fab65b499555336732916dbefe9e221f244e0a201aaec5ada99e6a560565ba44cad03
-
Filesize
391KB
MD539b2b07d9b232d2169440fcba5867c98
SHA1bcc08e9f5bd45436990b2e0b9ecb7408859f3a16
SHA256bd093a3c9afd5f0db449a55ff9cdc5634a33f69db82a6de068ab276f6b461c94
SHA51288cedd60a530d046a31fa07f103bb30d674214adbf22ee731e3b1abbf55fab65b499555336732916dbefe9e221f244e0a201aaec5ada99e6a560565ba44cad03
-
Filesize
354KB
MD5051a8750c51c7462f8a75cd57fc1e521
SHA1e000ad99634dcdf9baf253a9ad55da7f75076e7e
SHA25600b8924ef8445b6b3cbd60beeda1800d1c5ee2484b744e8e8e3a6eb1bece5e60
SHA5122b31ff98626785ef787987a4d58adfa05030407649ec6e8b196dbe114477e94e194f9ae2c143c4bc0e006ff33bbff00e5225900bc68798bcb04d30d6cfb02211
-
Filesize
354KB
MD5051a8750c51c7462f8a75cd57fc1e521
SHA1e000ad99634dcdf9baf253a9ad55da7f75076e7e
SHA25600b8924ef8445b6b3cbd60beeda1800d1c5ee2484b744e8e8e3a6eb1bece5e60
SHA5122b31ff98626785ef787987a4d58adfa05030407649ec6e8b196dbe114477e94e194f9ae2c143c4bc0e006ff33bbff00e5225900bc68798bcb04d30d6cfb02211
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5a0694e7a23b2a99990cdb744270fc2d9
SHA1dcdde2a8ddcb505e3574db8df03db3c9c96b2308
SHA25683b1502f49b347cc0176b888e8dac30a711583a2ad20610497dd1c9592e498b9
SHA5128991a650f6bb02f5f8921de212269e74a79ea322b796d40b3c7ceb8fb54cadcd8c7a716235c3020b0ee9f1ecb067c489af032c41762d3064f26834bca6b3d7f8
-
Filesize
333KB
MD5a0694e7a23b2a99990cdb744270fc2d9
SHA1dcdde2a8ddcb505e3574db8df03db3c9c96b2308
SHA25683b1502f49b347cc0176b888e8dac30a711583a2ad20610497dd1c9592e498b9
SHA5128991a650f6bb02f5f8921de212269e74a79ea322b796d40b3c7ceb8fb54cadcd8c7a716235c3020b0ee9f1ecb067c489af032c41762d3064f26834bca6b3d7f8
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
71KB
MD537d3ac31e4c461ff9653acc7dd3b84f4
SHA125eb0affe01e06afc46a66fa183fe33e02c62975
SHA2562e9f14bd648e3a8e98f8a5fbc1d9290d46420a3c15b16a78f8e9e7cbaa8ab073
SHA5122c1aede1b467729fd8f00eedd863c8d8226b582af658f42aad7ffe79dab3e14c6e55d0426dc997ac73e6d8cd78511bc37da5a211bb5e2c1faed372bc4674ecf4
-
Filesize
334KB
MD5098a4aa93e275de54bbc35ae4b981301
SHA1d03646dc7c63e0784393f74085405c794b8555af
SHA2565e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA5122e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46