amadey | 712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1280.exev4899lc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1280.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1280.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1280.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4899lc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4899lc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4899lc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1280.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1280.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v4899lc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4899lc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4899lc.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3468-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-210-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-212-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-214-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-216-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-218-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-220-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-222-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-224-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-229-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-231-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-233-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-235-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-237-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-239-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-241-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-243-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-245-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/3468-1128-0x0000000004E10000-0x0000000004E20000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

legenda.exerc.exey52Uf12.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	rc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	y52Uf12.exe

Executes dropped EXE 12 IoCs

Processes:

zap2107.exezap8269.exezap1081.exetz1280.exev4899lc.exew73ir45.exexqdiQ52.exey52Uf12.exelegenda.exerc.exendt5tk.exelegenda.exe

pid	process
1544	zap2107.exe
2404	zap8269.exe
4848	zap1081.exe
2796	tz1280.exe
3452	v4899lc.exe
3468	w73ir45.exe
3476	xqdiQ52.exe
3684	y52Uf12.exe
1680	legenda.exe
1820	rc.exe
2228	ndt5tk.exe
4464	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3468 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3468	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

tz1280.exev4899lc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4899lc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4899lc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

chrome.exezap2107.exezap8269.exezap1081.exe712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2107.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8269.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2107.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8269.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1081.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1081.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

ndt5tk.exe

description pid process target process

PID 2228 set thread context of 3992 2228 ndt5tk.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1336 3452 WerFault.exe v4899lc.exe
2380 3468 WerFault.exe w73ir45.exe
4924 2228 WerFault.exe ndt5tk.exe

flow	ioc
59	ip-api.com

description	pid	process	target process
PID 2228 set thread context of 3992	2228	ndt5tk.exe	RegSvcs.exe

pid	pid_target	process	target process
1336	3452	WerFault.exe	v4899lc.exe
2380	3468	WerFault.exe	w73ir45.exe
4924	2228	WerFault.exe	ndt5tk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

652 schtasks.exe

pid	process
652	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3740 taskkill.exe

pid	process
3740	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240842215714493"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3480 PING.EXE

pid	process
3480	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

tz1280.exev4899lc.exew73ir45.exexqdiQ52.exeRegSvcs.exechrome.exe

pid	process
2796	tz1280.exe
2796	tz1280.exe
3452	v4899lc.exe
3452	v4899lc.exe
3468	w73ir45.exe
3468	w73ir45.exe
3476	xqdiQ52.exe
3476	xqdiQ52.exe
3992	RegSvcs.exe
4400	chrome.exe
4400	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4400 chrome.exe
4400 chrome.exe
4400 chrome.exe
4400 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz1280.exev4899lc.exew73ir45.exexqdiQ52.exetaskkill.exeRegSvcs.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2796	tz1280.exe
Token: SeDebugPrivilege	3452	v4899lc.exe
Token: SeDebugPrivilege	3468	w73ir45.exe
Token: SeDebugPrivilege	3476	xqdiQ52.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	3992	RegSvcs.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exe

pid	process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exe

pid	process
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exezap2107.exezap8269.exezap1081.exey52Uf12.exelegenda.execmd.exerc.execmd.exendt5tk.exe

description	pid	process	target process
PID 5092 wrote to memory of 1544	5092	712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe	zap2107.exe
PID 5092 wrote to memory of 1544	5092	712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe	zap2107.exe
PID 5092 wrote to memory of 1544	5092	712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe	zap2107.exe
PID 1544 wrote to memory of 2404	1544	zap2107.exe	zap8269.exe
PID 1544 wrote to memory of 2404	1544	zap2107.exe	zap8269.exe
PID 1544 wrote to memory of 2404	1544	zap2107.exe	zap8269.exe
PID 2404 wrote to memory of 4848	2404	zap8269.exe	zap1081.exe
PID 2404 wrote to memory of 4848	2404	zap8269.exe	zap1081.exe
PID 2404 wrote to memory of 4848	2404	zap8269.exe	zap1081.exe
PID 4848 wrote to memory of 2796	4848	zap1081.exe	tz1280.exe
PID 4848 wrote to memory of 2796	4848	zap1081.exe	tz1280.exe
PID 4848 wrote to memory of 3452	4848	zap1081.exe	v4899lc.exe
PID 4848 wrote to memory of 3452	4848	zap1081.exe	v4899lc.exe
PID 4848 wrote to memory of 3452	4848	zap1081.exe	v4899lc.exe
PID 2404 wrote to memory of 3468	2404	zap8269.exe	w73ir45.exe
PID 2404 wrote to memory of 3468	2404	zap8269.exe	w73ir45.exe
PID 2404 wrote to memory of 3468	2404	zap8269.exe	w73ir45.exe
PID 1544 wrote to memory of 3476	1544	zap2107.exe	xqdiQ52.exe
PID 1544 wrote to memory of 3476	1544	zap2107.exe	xqdiQ52.exe
PID 1544 wrote to memory of 3476	1544	zap2107.exe	xqdiQ52.exe
PID 5092 wrote to memory of 3684	5092	712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe	y52Uf12.exe
PID 5092 wrote to memory of 3684	5092	712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe	y52Uf12.exe
PID 5092 wrote to memory of 3684	5092	712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe	y52Uf12.exe
PID 3684 wrote to memory of 1680	3684	y52Uf12.exe	legenda.exe
PID 3684 wrote to memory of 1680	3684	y52Uf12.exe	legenda.exe
PID 3684 wrote to memory of 1680	3684	y52Uf12.exe	legenda.exe
PID 1680 wrote to memory of 652	1680	legenda.exe	schtasks.exe
PID 1680 wrote to memory of 652	1680	legenda.exe	schtasks.exe
PID 1680 wrote to memory of 652	1680	legenda.exe	schtasks.exe
PID 1680 wrote to memory of 1840	1680	legenda.exe	cmd.exe
PID 1680 wrote to memory of 1840	1680	legenda.exe	cmd.exe
PID 1680 wrote to memory of 1840	1680	legenda.exe	cmd.exe
PID 1840 wrote to memory of 3508	1840	cmd.exe	cmd.exe
PID 1840 wrote to memory of 3508	1840	cmd.exe	cmd.exe
PID 1840 wrote to memory of 3508	1840	cmd.exe	cmd.exe
PID 1840 wrote to memory of 2776	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 2776	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 2776	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 4328	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 4328	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 4328	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 704	1840	cmd.exe	cmd.exe
PID 1840 wrote to memory of 704	1840	cmd.exe	cmd.exe
PID 1840 wrote to memory of 704	1840	cmd.exe	cmd.exe
PID 1840 wrote to memory of 4928	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 4928	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 4928	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 3300	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 3300	1840	cmd.exe	cacls.exe
PID 1840 wrote to memory of 3300	1840	cmd.exe	cacls.exe
PID 1680 wrote to memory of 1820	1680	legenda.exe	rc.exe
PID 1680 wrote to memory of 1820	1680	legenda.exe	rc.exe
PID 1680 wrote to memory of 1820	1680	legenda.exe	rc.exe
PID 1820 wrote to memory of 1152	1820	rc.exe	cmd.exe
PID 1820 wrote to memory of 1152	1820	rc.exe	cmd.exe
PID 1820 wrote to memory of 1152	1820	rc.exe	cmd.exe
PID 1680 wrote to memory of 2228	1680	legenda.exe	ndt5tk.exe
PID 1680 wrote to memory of 2228	1680	legenda.exe	ndt5tk.exe
PID 1680 wrote to memory of 2228	1680	legenda.exe	ndt5tk.exe
PID 1152 wrote to memory of 3740	1152	cmd.exe	taskkill.exe
PID 1152 wrote to memory of 3740	1152	cmd.exe	taskkill.exe
PID 1152 wrote to memory of 3740	1152	cmd.exe	taskkill.exe
PID 2228 wrote to memory of 3992	2228	ndt5tk.exe	RegSvcs.exe
PID 2228 wrote to memory of 3992	2228	ndt5tk.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe
"C:\Users\Admin\AppData\Local\Temp\712e74930fea5f1e584222ebaa41dddd598678ee65c2efa62c100c76d598a0fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2107.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2107.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8269.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8269.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1081.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1081.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1280.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1280.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4899lc.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4899lc.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1080
6⤵
- Program crash
PID:1336

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w73ir45.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w73ir45.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1328
5⤵
- Program crash
PID:2380

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqdiQ52.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqdiQ52.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y52Uf12.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y52Uf12.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3508

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:2776

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:704

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4928

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
5⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM chrome.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\extension_chrome"
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffc59079758,0x7ffc59079768,0x7ffc59079778
6⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:2
6⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:8
6⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:8
6⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:1
6⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:1
6⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3864 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:1
6⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4668 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:1
6⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3840 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:8
6⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:8
6⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:8
6⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1848,i,4072541575625872197,1774915670154547490,131072 /prefetch:8
6⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
5⤵
PID:3856

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:3480

C:\Users\Admin\AppData\Local\Temp\1000145001\ndt5tk.exe
"C:\Users\Admin\AppData\Local\Temp\1000145001\ndt5tk.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
6⤵
PID:224

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:2380

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
7⤵
PID:1708

C:\Windows\SysWOW64\findstr.exe
findstr All
7⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
6⤵
PID:1020

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:3476

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile name="65001" key=clear
7⤵
PID:4832

C:\Windows\SysWOW64\findstr.exe
findstr Key
7⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 576
5⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3452 -ip 3452
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3468 -ip 3468
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2228 -ip 2228
1⤵
PID:4172

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery