amadey | a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1386.exev7990el.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7990el.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7990el.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7990el.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7990el.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7990el.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1386.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7990el.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1872-210-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-211-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-213-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-215-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-217-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-219-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-221-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-223-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-225-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-227-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-229-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-231-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-233-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-235-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-237-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-239-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-241-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-243-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/1872-1125-0x0000000004E50000-0x0000000004E60000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

y30Sm41.exelegenda.exerc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y30Sm41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	rc.exe

Executes dropped EXE 13 IoCs

Processes:

zap8879.exezap8688.exezap6950.exetz1386.exev7990el.exew57kA34.exexObsY35.exey30Sm41.exelegenda.exerc.exendt5tk.exelegenda.exelegenda.exe

pid	process
3956	zap8879.exe
2372	zap8688.exe
1620	zap6950.exe
4268	tz1386.exe
656	v7990el.exe
1872	w57kA34.exe
208	xObsY35.exe
4408	y30Sm41.exe
1632	legenda.exe
4188	rc.exe
4668	ndt5tk.exe
1560	legenda.exe
4988	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1932 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1932	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

v7990el.exetz1386.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7990el.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1386.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7990el.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

chrome.exea81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exezap6950.exezap8688.exezap8879.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6950.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8688.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8879.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8879.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

ndt5tk.exe

description pid process target process

PID 4668 set thread context of 2684 4668 ndt5tk.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

560 656 WerFault.exe v7990el.exe
548 1872 WerFault.exe w57kA34.exe
1248 4668 WerFault.exe ndt5tk.exe

flow	ioc
39	ip-api.com

description	pid	process	target process
PID 4668 set thread context of 2684	4668	ndt5tk.exe	RegSvcs.exe

pid	pid_target	process	target process
560	656	WerFault.exe	v7990el.exe
548	1872	WerFault.exe	w57kA34.exe
1248	4668	WerFault.exe	ndt5tk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3332 schtasks.exe

pid	process
3332	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4636 taskkill.exe

pid	process
4636	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240892506344262"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5068 PING.EXE

pid	process
5068	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

tz1386.exev7990el.exew57kA34.exexObsY35.exeRegSvcs.exechrome.exe

pid	process
4268	tz1386.exe
4268	tz1386.exe
656	v7990el.exe
656	v7990el.exe
1872	w57kA34.exe
1872	w57kA34.exe
208	xObsY35.exe
208	xObsY35.exe
2684	RegSvcs.exe
2492	chrome.exe
2492	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2492 chrome.exe
2492 chrome.exe
2492 chrome.exe
2492 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz1386.exev7990el.exew57kA34.exexObsY35.exeRegSvcs.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4268	tz1386.exe
Token: SeDebugPrivilege	656	v7990el.exe
Token: SeDebugPrivilege	1872	w57kA34.exe
Token: SeDebugPrivilege	208	xObsY35.exe
Token: SeDebugPrivilege	2684	RegSvcs.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeCreatePagefilePrivilege	2492	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exe

pid	process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exe

pid	process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exezap8879.exezap8688.exezap6950.exey30Sm41.exelegenda.execmd.exerc.exendt5tk.exe

description	pid	process	target process
PID 2256 wrote to memory of 3956	2256	a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe	zap8879.exe
PID 2256 wrote to memory of 3956	2256	a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe	zap8879.exe
PID 2256 wrote to memory of 3956	2256	a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe	zap8879.exe
PID 3956 wrote to memory of 2372	3956	zap8879.exe	zap8688.exe
PID 3956 wrote to memory of 2372	3956	zap8879.exe	zap8688.exe
PID 3956 wrote to memory of 2372	3956	zap8879.exe	zap8688.exe
PID 2372 wrote to memory of 1620	2372	zap8688.exe	zap6950.exe
PID 2372 wrote to memory of 1620	2372	zap8688.exe	zap6950.exe
PID 2372 wrote to memory of 1620	2372	zap8688.exe	zap6950.exe
PID 1620 wrote to memory of 4268	1620	zap6950.exe	tz1386.exe
PID 1620 wrote to memory of 4268	1620	zap6950.exe	tz1386.exe
PID 1620 wrote to memory of 656	1620	zap6950.exe	v7990el.exe
PID 1620 wrote to memory of 656	1620	zap6950.exe	v7990el.exe
PID 1620 wrote to memory of 656	1620	zap6950.exe	v7990el.exe
PID 2372 wrote to memory of 1872	2372	zap8688.exe	w57kA34.exe
PID 2372 wrote to memory of 1872	2372	zap8688.exe	w57kA34.exe
PID 2372 wrote to memory of 1872	2372	zap8688.exe	w57kA34.exe
PID 3956 wrote to memory of 208	3956	zap8879.exe	xObsY35.exe
PID 3956 wrote to memory of 208	3956	zap8879.exe	xObsY35.exe
PID 3956 wrote to memory of 208	3956	zap8879.exe	xObsY35.exe
PID 2256 wrote to memory of 4408	2256	a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe	y30Sm41.exe
PID 2256 wrote to memory of 4408	2256	a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe	y30Sm41.exe
PID 2256 wrote to memory of 4408	2256	a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe	y30Sm41.exe
PID 4408 wrote to memory of 1632	4408	y30Sm41.exe	legenda.exe
PID 4408 wrote to memory of 1632	4408	y30Sm41.exe	legenda.exe
PID 4408 wrote to memory of 1632	4408	y30Sm41.exe	legenda.exe
PID 1632 wrote to memory of 3332	1632	legenda.exe	schtasks.exe
PID 1632 wrote to memory of 3332	1632	legenda.exe	schtasks.exe
PID 1632 wrote to memory of 3332	1632	legenda.exe	schtasks.exe
PID 1632 wrote to memory of 3296	1632	legenda.exe	cmd.exe
PID 1632 wrote to memory of 3296	1632	legenda.exe	cmd.exe
PID 1632 wrote to memory of 3296	1632	legenda.exe	cmd.exe
PID 3296 wrote to memory of 572	3296	cmd.exe	cmd.exe
PID 3296 wrote to memory of 572	3296	cmd.exe	cmd.exe
PID 3296 wrote to memory of 572	3296	cmd.exe	cmd.exe
PID 3296 wrote to memory of 4796	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 4796	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 4796	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 3240	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 3240	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 3240	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 3224	3296	cmd.exe	cmd.exe
PID 3296 wrote to memory of 3224	3296	cmd.exe	cmd.exe
PID 3296 wrote to memory of 3224	3296	cmd.exe	cmd.exe
PID 3296 wrote to memory of 4788	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 4788	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 4788	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 5016	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 5016	3296	cmd.exe	cacls.exe
PID 3296 wrote to memory of 5016	3296	cmd.exe	cacls.exe
PID 1632 wrote to memory of 4188	1632	legenda.exe	rc.exe
PID 1632 wrote to memory of 4188	1632	legenda.exe	rc.exe
PID 1632 wrote to memory of 4188	1632	legenda.exe	rc.exe
PID 1632 wrote to memory of 4668	1632	legenda.exe	ndt5tk.exe
PID 1632 wrote to memory of 4668	1632	legenda.exe	ndt5tk.exe
PID 1632 wrote to memory of 4668	1632	legenda.exe	ndt5tk.exe
PID 4188 wrote to memory of 1392	4188	rc.exe	cmd.exe
PID 4188 wrote to memory of 1392	4188	rc.exe	cmd.exe
PID 4188 wrote to memory of 1392	4188	rc.exe	cmd.exe
PID 4668 wrote to memory of 2684	4668	ndt5tk.exe	RegSvcs.exe
PID 4668 wrote to memory of 2684	4668	ndt5tk.exe	RegSvcs.exe
PID 4668 wrote to memory of 2684	4668	ndt5tk.exe	RegSvcs.exe
PID 4668 wrote to memory of 2684	4668	ndt5tk.exe	RegSvcs.exe
PID 4668 wrote to memory of 2684	4668	ndt5tk.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe
"C:\Users\Admin\AppData\Local\Temp\a81378091b48579833fb99554f8fdb086ad799c20670f46cf4c8e1aedef6251f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8879.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8879.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8688.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8688.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6950.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6950.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1386.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1386.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7990el.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7990el.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1088
6⤵
- Program crash
PID:560

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57kA34.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57kA34.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1336
5⤵
- Program crash
PID:548

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xObsY35.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xObsY35.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y30Sm41.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y30Sm41.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:572

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4796

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3224

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TASKKILL /IM chrome.exe /F
5⤵
PID:1392

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM chrome.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\extension_chrome"
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa5f9f9758,0x7ffa5f9f9768,0x7ffa5f9f9778
6⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:2
6⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:8
6⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:8
6⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3256 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:1
6⤵
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3280 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:1
6⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3912 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:1
6⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4852 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:1
6⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:8
6⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5140 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:8
6⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:8
6⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1848,i,9523612368400156524,16675567871013673831,131072 /prefetch:8
6⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000142001\rc.exe"
5⤵
PID:1336

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:5068

C:\Users\Admin\AppData\Local\Temp\1000145001\ndt5tk.exe
"C:\Users\Admin\AppData\Local\Temp\1000145001\ndt5tk.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2684

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
6⤵
PID:2408

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:4476

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
7⤵
PID:2576

C:\Windows\SysWOW64\findstr.exe
findstr All
7⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
6⤵
PID:100

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:2136

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile name="65001" key=clear
7⤵
PID:5084

C:\Windows\SysWOW64\findstr.exe
findstr Key
7⤵
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 568
5⤵
- Program crash
PID:1248

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 656 -ip 656
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1872 -ip 1872
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4668 -ip 4668
1⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery