amadey | 24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91

Analysis

max time kernel
143s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe
Size

959KB
MD5

c89a334e098a4218fe41caf01e52866a
SHA1

c456b1000f212d29f667279975b98245707d7801
SHA256

24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91
SHA512

31595110428c93b7240194d074733ddc3bb8043fb4ca6dd7021ef1b2889de634f0dfbf73c302d3c434cdb82c6e2d06557269f4aba93373005cf51cc5ff9295a9
SSDEEP

24576:zyts+AqMOyQEqQ8ek2fiOigMw375Q3avsn5:Gts5AQyvAh7C3a0n

Score

10^/10

amadey redline gena vint discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz9886.exev6389eu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6389eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6389eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6389eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6389eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9886.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v6389eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6389eu.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1372-211-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-212-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-214-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-216-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-218-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-220-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-222-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-224-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-226-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-228-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-230-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-232-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-234-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-236-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-238-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-240-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-242-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline
behavioral1/memory/1372-244-0x0000000005040000-0x000000000507E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y20MI50.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y20MI50.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap6807.exezap1047.exezap0584.exetz9886.exev6389eu.exew65YJ79.exexPgBG26.exey20MI50.exelegenda.exelegenda.exelegenda.exe

pid	process
5016	zap6807.exe
2636	zap1047.exe
3392	zap0584.exe
3632	tz9886.exe
1744	v6389eu.exe
1372	w65YJ79.exe
2860	xPgBG26.exe
5108	y20MI50.exe
4428	legenda.exe
3916	legenda.exe
2076	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4660 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4660	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz9886.exev6389eu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9886.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6389eu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6389eu.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1047.exezap0584.exe24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exezap6807.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1047.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap0584.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6807.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1047.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2180 1744 WerFault.exe v6389eu.exe
1128 1372 WerFault.exe w65YJ79.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1432 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz9886.exev6389eu.exew65YJ79.exexPgBG26.exe

pid process

3632 tz9886.exe
3632 tz9886.exe
1744 v6389eu.exe
1744 v6389eu.exe
1372 w65YJ79.exe
1372 w65YJ79.exe
2860 xPgBG26.exe
2860 xPgBG26.exe

pid	pid_target	process	target process
2180	1744	WerFault.exe	v6389eu.exe
1128	1372	WerFault.exe	w65YJ79.exe

pid	process
1432	schtasks.exe

pid	process
3632	tz9886.exe
3632	tz9886.exe
1744	v6389eu.exe
1744	v6389eu.exe
1372	w65YJ79.exe
1372	w65YJ79.exe
2860	xPgBG26.exe
2860	xPgBG26.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz9886.exev6389eu.exew65YJ79.exexPgBG26.exe

description	pid	process
Token: SeDebugPrivilege	3632	tz9886.exe
Token: SeDebugPrivilege	1744	v6389eu.exe
Token: SeDebugPrivilege	1372	w65YJ79.exe
Token: SeDebugPrivilege	2860	xPgBG26.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exezap6807.exezap1047.exezap0584.exey20MI50.exelegenda.execmd.exe

description	pid	process	target process
PID 1604 wrote to memory of 5016	1604	24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe	zap6807.exe
PID 1604 wrote to memory of 5016	1604	24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe	zap6807.exe
PID 1604 wrote to memory of 5016	1604	24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe	zap6807.exe
PID 5016 wrote to memory of 2636	5016	zap6807.exe	zap1047.exe
PID 5016 wrote to memory of 2636	5016	zap6807.exe	zap1047.exe
PID 5016 wrote to memory of 2636	5016	zap6807.exe	zap1047.exe
PID 2636 wrote to memory of 3392	2636	zap1047.exe	zap0584.exe
PID 2636 wrote to memory of 3392	2636	zap1047.exe	zap0584.exe
PID 2636 wrote to memory of 3392	2636	zap1047.exe	zap0584.exe
PID 3392 wrote to memory of 3632	3392	zap0584.exe	tz9886.exe
PID 3392 wrote to memory of 3632	3392	zap0584.exe	tz9886.exe
PID 3392 wrote to memory of 1744	3392	zap0584.exe	v6389eu.exe
PID 3392 wrote to memory of 1744	3392	zap0584.exe	v6389eu.exe
PID 3392 wrote to memory of 1744	3392	zap0584.exe	v6389eu.exe
PID 2636 wrote to memory of 1372	2636	zap1047.exe	w65YJ79.exe
PID 2636 wrote to memory of 1372	2636	zap1047.exe	w65YJ79.exe
PID 2636 wrote to memory of 1372	2636	zap1047.exe	w65YJ79.exe
PID 5016 wrote to memory of 2860	5016	zap6807.exe	xPgBG26.exe
PID 5016 wrote to memory of 2860	5016	zap6807.exe	xPgBG26.exe
PID 5016 wrote to memory of 2860	5016	zap6807.exe	xPgBG26.exe
PID 1604 wrote to memory of 5108	1604	24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe	y20MI50.exe
PID 1604 wrote to memory of 5108	1604	24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe	y20MI50.exe
PID 1604 wrote to memory of 5108	1604	24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe	y20MI50.exe
PID 5108 wrote to memory of 4428	5108	y20MI50.exe	legenda.exe
PID 5108 wrote to memory of 4428	5108	y20MI50.exe	legenda.exe
PID 5108 wrote to memory of 4428	5108	y20MI50.exe	legenda.exe
PID 4428 wrote to memory of 1432	4428	legenda.exe	schtasks.exe
PID 4428 wrote to memory of 1432	4428	legenda.exe	schtasks.exe
PID 4428 wrote to memory of 1432	4428	legenda.exe	schtasks.exe
PID 4428 wrote to memory of 4384	4428	legenda.exe	cmd.exe
PID 4428 wrote to memory of 4384	4428	legenda.exe	cmd.exe
PID 4428 wrote to memory of 4384	4428	legenda.exe	cmd.exe
PID 4384 wrote to memory of 3832	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 3832	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 3832	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 3572	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 3572	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 3572	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 3432	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 3432	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 3432	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 3484	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 3484	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 3484	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 1060	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 1060	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 1060	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 1344	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 1344	4384	cmd.exe	cacls.exe
PID 4384 wrote to memory of 1344	4384	cmd.exe	cacls.exe
PID 4428 wrote to memory of 4660	4428	legenda.exe	rundll32.exe
PID 4428 wrote to memory of 4660	4428	legenda.exe	rundll32.exe
PID 4428 wrote to memory of 4660	4428	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe
"C:\Users\Admin\AppData\Local\Temp\24ccf8a4403a15628e32977ac976d180517d7f01cb33aacdbafb65bf59c58a91.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6807.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6807.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1047.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1047.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0584.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0584.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9886.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9886.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6389eu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6389eu.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1008
6⤵
- Program crash
PID:2180

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w65YJ79.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w65YJ79.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1340
5⤵
- Program crash
PID:1128

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xPgBG26.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xPgBG26.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y20MI50.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y20MI50.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3832

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3572

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3484

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:1060

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1344

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1744 -ip 1744
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1372 -ip 1372
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y20MI50.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y20MI50.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6807.exe
Filesize
777KB

MD5
fb19c94aa7e94d6a2425bfd35bae7883

SHA1
b583e8311768d91faa1ee43dad6bfb519c409d33

SHA256
cd01c7b5f7b046278f6ea777f37a9ca5158b372128c8c72dcb92b6af27c49937

SHA512
dbee7ac4e4ef2c4f3be34c74e22aab7fad491784da4062b16dc63bb907b231cc2279af3f0ed8f2fcda281546e498ea11ed7e4155ec53f193d0b28f793a01c06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6807.exe
Filesize
777KB

MD5
fb19c94aa7e94d6a2425bfd35bae7883

SHA1
b583e8311768d91faa1ee43dad6bfb519c409d33

SHA256
cd01c7b5f7b046278f6ea777f37a9ca5158b372128c8c72dcb92b6af27c49937

SHA512
dbee7ac4e4ef2c4f3be34c74e22aab7fad491784da4062b16dc63bb907b231cc2279af3f0ed8f2fcda281546e498ea11ed7e4155ec53f193d0b28f793a01c06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xPgBG26.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xPgBG26.exe
Filesize
175KB

MD5
3389637c0d072121bf1b127629736d37

SHA1
300e915efdf2479bfd0d3699c0a6bc51260f9655

SHA256
2b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153

SHA512
a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1047.exe
Filesize
634KB

MD5
1c654e2c73d90d633b546f1efe2ffc99

SHA1
deaeca9c934c6650ea41637f3e4ef389ceca4c4b

SHA256
4d12c542262caae4f154e806a07008082da2e8979c7636fd43c1ec2d646de79d

SHA512
5026fb8f43947b1f1eb687414c8d605d85412187a38e7816e8c47f2c453134793adefcd52168e7401cad45fb5732941f6116b48d2b4b0ee9dedd5d2da2bf86bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1047.exe
Filesize
634KB

MD5
1c654e2c73d90d633b546f1efe2ffc99

SHA1
deaeca9c934c6650ea41637f3e4ef389ceca4c4b

SHA256
4d12c542262caae4f154e806a07008082da2e8979c7636fd43c1ec2d646de79d

SHA512
5026fb8f43947b1f1eb687414c8d605d85412187a38e7816e8c47f2c453134793adefcd52168e7401cad45fb5732941f6116b48d2b4b0ee9dedd5d2da2bf86bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w65YJ79.exe
Filesize
288KB

MD5
36926cd22a76f6b3222d3bbbd6f562bc

SHA1
e1fe8644760aa8e2d0769570532d5c84bbbe339e

SHA256
8f708223b11d9234da94603d6f39e392d3c317331f6ba0964d35cfb8dd2e0bff

SHA512
4b3949a40fb2f02b9ce8a36e4c57106df2beb1c827d9766e947a11fde1b63a26c4e988dcd287ad4244305cc984a57f1e878f503baeeb2b416651f2bae000cabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w65YJ79.exe
Filesize
288KB

MD5
36926cd22a76f6b3222d3bbbd6f562bc

SHA1
e1fe8644760aa8e2d0769570532d5c84bbbe339e

SHA256
8f708223b11d9234da94603d6f39e392d3c317331f6ba0964d35cfb8dd2e0bff

SHA512
4b3949a40fb2f02b9ce8a36e4c57106df2beb1c827d9766e947a11fde1b63a26c4e988dcd287ad4244305cc984a57f1e878f503baeeb2b416651f2bae000cabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0584.exe
Filesize
314KB

MD5
7f5e8c877e2d2f373f091af294f10c41

SHA1
7d3fa5aa6d3340bd8e4a53b5db3fbe758eaf615a

SHA256
0bfceeefb723bbc43a57a7272a05f72adf8fbea460a313ffd4b761e6eb6b64b3

SHA512
d10c4022d21314b932dcb30f4c2dd0bc3f5a47358be275d990e9f70729e8dd9eac235591a7aeef3acaa8aefaf59aae47a0a2e4cc11e472575172772eae5d0d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0584.exe
Filesize
314KB

MD5
7f5e8c877e2d2f373f091af294f10c41

SHA1
7d3fa5aa6d3340bd8e4a53b5db3fbe758eaf615a

SHA256
0bfceeefb723bbc43a57a7272a05f72adf8fbea460a313ffd4b761e6eb6b64b3

SHA512
d10c4022d21314b932dcb30f4c2dd0bc3f5a47358be275d990e9f70729e8dd9eac235591a7aeef3acaa8aefaf59aae47a0a2e4cc11e472575172772eae5d0d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9886.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9886.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6389eu.exe
Filesize
230KB

MD5
f2f42089598f201f49b77ae5b1be7f7e

SHA1
18ee4288f05d792cf95e6637793402adbc227a87

SHA256
5011fb11d253a80036569e7470aefcb4dbe9cd2f979528b5a09be257f2637b86

SHA512
a7484679efa6f4ce7ec1f4f406aa4e9819a1a37f65350452389d5f8bb43e69e89e9bf92931e6015c07db159437d4c100d3f99479071142b2f840314e4e8ffd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6389eu.exe
Filesize
230KB

MD5
f2f42089598f201f49b77ae5b1be7f7e

SHA1
18ee4288f05d792cf95e6637793402adbc227a87

SHA256
5011fb11d253a80036569e7470aefcb4dbe9cd2f979528b5a09be257f2637b86

SHA512
a7484679efa6f4ce7ec1f4f406aa4e9819a1a37f65350452389d5f8bb43e69e89e9bf92931e6015c07db159437d4c100d3f99479071142b2f840314e4e8ffd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1372-1123-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/1372-244-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-1133-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1372-1131-0x00000000069F0000-0x0000000006F1C000-memory.dmp

Filesize
5.2MB

Download
memory/1372-1130-0x0000000006820000-0x00000000069E2000-memory.dmp

Filesize
1.8MB

Download
memory/1372-1129-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/1372-1128-0x00000000066E0000-0x0000000006756000-memory.dmp

Filesize
472KB

Download
memory/1372-1127-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1372-1125-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1372-1126-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1372-1122-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/1372-208-0x00000000005B0000-0x00000000005FB000-memory.dmp

Filesize
300KB

Download
memory/1372-209-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1372-210-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1372-211-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-212-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-214-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-216-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-218-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-220-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-222-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-224-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-226-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-228-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-230-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-232-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-234-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-236-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-238-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-240-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-242-0x0000000005040000-0x000000000507E000-memory.dmp

Filesize
248KB

Download
memory/1372-1121-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1372-1117-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/1372-1118-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/1372-1119-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/1372-1120-0x0000000005A10000-0x0000000005A4C000-memory.dmp

Filesize
240KB

Download
memory/1744-182-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-186-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-192-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-167-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/1744-203-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1744-201-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1744-200-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1744-199-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1744-198-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-196-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-194-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-184-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-168-0x00000000004D0000-0x00000000004FD000-memory.dmp

Filesize
180KB

Download
memory/1744-188-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-190-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-180-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-178-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-176-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-174-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-172-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-171-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1744-170-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1744-169-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2860-1139-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/2860-1138-0x00000000008C0000-0x00000000008F2000-memory.dmp

Filesize
200KB

Download
memory/3632-161-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download