amadey | ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe
Size

1.0MB
MD5

a7deec0da4a0031107627848ebac68cd
SHA1

45629b801aa8c8305d8d32b382d79a9e134e47a8
SHA256

ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c
SHA512

b8fd1b51781ace31b5bad57f67682722091abb13e273d627f8486cbf64c3769b4cee912b1b60df3f6cbcd0a879035f99f2ceb2ff6b44b441dab6a73375087856
SSDEEP

24576:QyMIcMTNqAVdA/KqHK9v7b0NspTaoPHs8V9/FFmBAUmvR6V:X3cMT8UdARq9TwKPHs8Vj7vR

Score

10^/10

amadey redline boris lida discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lida

193.233.20.32:4125

Attributes

auth_value
24052aa2e9b85984a98d80cf08623e8d

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz7343.exev3231cV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7343.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3231cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3231cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3231cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3231cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3231cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3231cV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7343.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3540-213-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-214-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-218-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-222-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-224-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-226-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-228-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-230-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-232-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-234-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-236-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-238-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-240-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-242-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-244-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-246-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline
behavioral1/memory/3540-248-0x0000000007740000-0x000000000777F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y43wv49.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y43wv49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 10 IoCs

Processes:

zap0733.exezap2823.exezap6652.exetz7343.exev3231cV.exew59GP56.exexyHJX36.exey43wv49.exelegenda.exelegenda.exe

pid	process
1844	zap0733.exe
1512	zap2823.exe
2192	zap6652.exe
4904	tz7343.exe
4288	v3231cV.exe
3540	w59GP56.exe
4612	xyHJX36.exe
4820	y43wv49.exe
4424	legenda.exe
4356	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4568 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4568	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v3231cV.exetz7343.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3231cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3231cV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7343.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap6652.exeded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exezap0733.exezap2823.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6652.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6652.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap0733.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2823.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4952 4288 WerFault.exe v3231cV.exe
1800 3540 WerFault.exe w59GP56.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4368 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz7343.exev3231cV.exew59GP56.exexyHJX36.exe

pid process

4904 tz7343.exe
4904 tz7343.exe
4288 v3231cV.exe
4288 v3231cV.exe
3540 w59GP56.exe
3540 w59GP56.exe
4612 xyHJX36.exe
4612 xyHJX36.exe

pid	pid_target	process	target process
4952	4288	WerFault.exe	v3231cV.exe
1800	3540	WerFault.exe	w59GP56.exe

pid	process
4368	schtasks.exe

pid	process
4904	tz7343.exe
4904	tz7343.exe
4288	v3231cV.exe
4288	v3231cV.exe
3540	w59GP56.exe
3540	w59GP56.exe
4612	xyHJX36.exe
4612	xyHJX36.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz7343.exev3231cV.exew59GP56.exexyHJX36.exe

description	pid	process
Token: SeDebugPrivilege	4904	tz7343.exe
Token: SeDebugPrivilege	4288	v3231cV.exe
Token: SeDebugPrivilege	3540	w59GP56.exe
Token: SeDebugPrivilege	4612	xyHJX36.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exezap0733.exezap2823.exezap6652.exey43wv49.exelegenda.execmd.exe

description	pid	process	target process
PID 5028 wrote to memory of 1844	5028	ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe	zap0733.exe
PID 5028 wrote to memory of 1844	5028	ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe	zap0733.exe
PID 5028 wrote to memory of 1844	5028	ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe	zap0733.exe
PID 1844 wrote to memory of 1512	1844	zap0733.exe	zap2823.exe
PID 1844 wrote to memory of 1512	1844	zap0733.exe	zap2823.exe
PID 1844 wrote to memory of 1512	1844	zap0733.exe	zap2823.exe
PID 1512 wrote to memory of 2192	1512	zap2823.exe	zap6652.exe
PID 1512 wrote to memory of 2192	1512	zap2823.exe	zap6652.exe
PID 1512 wrote to memory of 2192	1512	zap2823.exe	zap6652.exe
PID 2192 wrote to memory of 4904	2192	zap6652.exe	tz7343.exe
PID 2192 wrote to memory of 4904	2192	zap6652.exe	tz7343.exe
PID 2192 wrote to memory of 4288	2192	zap6652.exe	v3231cV.exe
PID 2192 wrote to memory of 4288	2192	zap6652.exe	v3231cV.exe
PID 2192 wrote to memory of 4288	2192	zap6652.exe	v3231cV.exe
PID 1512 wrote to memory of 3540	1512	zap2823.exe	w59GP56.exe
PID 1512 wrote to memory of 3540	1512	zap2823.exe	w59GP56.exe
PID 1512 wrote to memory of 3540	1512	zap2823.exe	w59GP56.exe
PID 1844 wrote to memory of 4612	1844	zap0733.exe	xyHJX36.exe
PID 1844 wrote to memory of 4612	1844	zap0733.exe	xyHJX36.exe
PID 1844 wrote to memory of 4612	1844	zap0733.exe	xyHJX36.exe
PID 5028 wrote to memory of 4820	5028	ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe	y43wv49.exe
PID 5028 wrote to memory of 4820	5028	ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe	y43wv49.exe
PID 5028 wrote to memory of 4820	5028	ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe	y43wv49.exe
PID 4820 wrote to memory of 4424	4820	y43wv49.exe	legenda.exe
PID 4820 wrote to memory of 4424	4820	y43wv49.exe	legenda.exe
PID 4820 wrote to memory of 4424	4820	y43wv49.exe	legenda.exe
PID 4424 wrote to memory of 4368	4424	legenda.exe	schtasks.exe
PID 4424 wrote to memory of 4368	4424	legenda.exe	schtasks.exe
PID 4424 wrote to memory of 4368	4424	legenda.exe	schtasks.exe
PID 4424 wrote to memory of 5064	4424	legenda.exe	cmd.exe
PID 4424 wrote to memory of 5064	4424	legenda.exe	cmd.exe
PID 4424 wrote to memory of 5064	4424	legenda.exe	cmd.exe
PID 5064 wrote to memory of 2984	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 2984	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 2984	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 4540	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4540	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 4540	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 2096	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 2096	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 2096	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 3676	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 3676	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 3676	5064	cmd.exe	cmd.exe
PID 5064 wrote to memory of 3408	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 3408	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 3408	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 2344	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 2344	5064	cmd.exe	cacls.exe
PID 5064 wrote to memory of 2344	5064	cmd.exe	cacls.exe
PID 4424 wrote to memory of 4568	4424	legenda.exe	rundll32.exe
PID 4424 wrote to memory of 4568	4424	legenda.exe	rundll32.exe
PID 4424 wrote to memory of 4568	4424	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe
"C:\Users\Admin\AppData\Local\Temp\ded5d2c894252a152393cb7a09dcd9dbfd235067d501475d9a27b81b08a3866c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0733.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0733.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2823.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2823.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6652.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6652.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7343.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7343.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3231cV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3231cV.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1088
6⤵
- Program crash
PID:4952

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w59GP56.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w59GP56.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 2032
5⤵
- Program crash
PID:1800

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyHJX36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyHJX36.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43wv49.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43wv49.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2984

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4540

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3676

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3408

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2344

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4288 -ip 4288
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3540 -ip 3540
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43wv49.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y43wv49.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0733.exe
Filesize
857KB

MD5
f9c4e374cbfa06b74dbc649f4a19ae7b

SHA1
b5cd6462ffbd01c713084a0dd4cc079251ac481d

SHA256
d72837ea81162a22add661b8c3e02da0703ea57403a30a6b3d901bc85e7cb959

SHA512
95051e00dec19334bfa368f16dde7e52b9af1560e228520c620be3e2fa52321e358a7da4a66d414fdc0d86a4aaf178357f1391ac25b3e39a1b9259c8df699c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0733.exe
Filesize
857KB

MD5
f9c4e374cbfa06b74dbc649f4a19ae7b

SHA1
b5cd6462ffbd01c713084a0dd4cc079251ac481d

SHA256
d72837ea81162a22add661b8c3e02da0703ea57403a30a6b3d901bc85e7cb959

SHA512
95051e00dec19334bfa368f16dde7e52b9af1560e228520c620be3e2fa52321e358a7da4a66d414fdc0d86a4aaf178357f1391ac25b3e39a1b9259c8df699c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyHJX36.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xyHJX36.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2823.exe
Filesize
715KB

MD5
185e5a9b3637ec43db1f9375434f424e

SHA1
57c681ac0610a59b3711572fa56dda9d9699623e

SHA256
ae6d3ce4974fe22d35849575c69eb7c9133762a9b577ae7e851360d245ab6dd2

SHA512
75c2c6201078369ece05f690571b4a52905bf49654fc5d1c5319053e6715de9df33ba19c9988e6b6acda01cefa3956451584fa38f8449a5fb25773acf3b41552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2823.exe
Filesize
715KB

MD5
185e5a9b3637ec43db1f9375434f424e

SHA1
57c681ac0610a59b3711572fa56dda9d9699623e

SHA256
ae6d3ce4974fe22d35849575c69eb7c9133762a9b577ae7e851360d245ab6dd2

SHA512
75c2c6201078369ece05f690571b4a52905bf49654fc5d1c5319053e6715de9df33ba19c9988e6b6acda01cefa3956451584fa38f8449a5fb25773acf3b41552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w59GP56.exe
Filesize
387KB

MD5
5260f9eb45bca377f6739cf0f8064391

SHA1
5a7564ef7d569b1f3363fa53a9f945151ef16338

SHA256
0babc39839567e18cd9b387dc5deb5fb03c7fd3c8575fd9354614c18de97eb6c

SHA512
872a2e63d4e26641ea2a9ebedc4e11240d7576a4c9e17cddc606354e2a963872024d20a653258502bb33c9021db81303869db527b40b41bb6dcb82a58fb38377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w59GP56.exe
Filesize
387KB

MD5
5260f9eb45bca377f6739cf0f8064391

SHA1
5a7564ef7d569b1f3363fa53a9f945151ef16338

SHA256
0babc39839567e18cd9b387dc5deb5fb03c7fd3c8575fd9354614c18de97eb6c

SHA512
872a2e63d4e26641ea2a9ebedc4e11240d7576a4c9e17cddc606354e2a963872024d20a653258502bb33c9021db81303869db527b40b41bb6dcb82a58fb38377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6652.exe
Filesize
354KB

MD5
2573a8743580b1c10ce2b81dc0765a8b

SHA1
4d6d1eab416c56e22f4e7bae8eac061e2440e6c6

SHA256
f0806519779a13e5acac978cf75fe42a709252d54378f50c7897ed46b5ce6c0e

SHA512
b0fc452bbc06c88ad15a1b2cceb3b609466e4e44281d5bfc40058a51798077e09d712d262c493b5329112311b27e19dc125663440c3b5a52003109ec7fa18828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6652.exe
Filesize
354KB

MD5
2573a8743580b1c10ce2b81dc0765a8b

SHA1
4d6d1eab416c56e22f4e7bae8eac061e2440e6c6

SHA256
f0806519779a13e5acac978cf75fe42a709252d54378f50c7897ed46b5ce6c0e

SHA512
b0fc452bbc06c88ad15a1b2cceb3b609466e4e44281d5bfc40058a51798077e09d712d262c493b5329112311b27e19dc125663440c3b5a52003109ec7fa18828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7343.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7343.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3231cV.exe
Filesize
329KB

MD5
0b4944ac44784c53c31096dce1e52ef5

SHA1
f5e438ef7dc5ba879c5438878400dd62ffdbdd4f

SHA256
da03ab8d4557f9e7998d8824cb8e4f45190746731ba1c577c4d3f1c5a84dc928

SHA512
f43553124d0353192d1b5ddc4a66ced08f6e4716ea837ff63f607e5fb1ddba63dc6b7aaf30799fbbd1bd959de99a4a70a583ed4ba6db72f546c6f1a71234cb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3231cV.exe
Filesize
329KB

MD5
0b4944ac44784c53c31096dce1e52ef5

SHA1
f5e438ef7dc5ba879c5438878400dd62ffdbdd4f

SHA256
da03ab8d4557f9e7998d8824cb8e4f45190746731ba1c577c4d3f1c5a84dc928

SHA512
f43553124d0353192d1b5ddc4a66ced08f6e4716ea837ff63f607e5fb1ddba63dc6b7aaf30799fbbd1bd959de99a4a70a583ed4ba6db72f546c6f1a71234cb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/3540-1131-0x0000000008B90000-0x0000000008D52000-memory.dmp

Filesize
1.8MB

Download
memory/3540-242-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-1138-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3540-1137-0x0000000009550000-0x00000000095A0000-memory.dmp

Filesize
320KB

Download
memory/3540-1136-0x00000000094D0000-0x0000000009546000-memory.dmp

Filesize
472KB

Download
memory/3540-1135-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3540-1134-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3540-1133-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3540-1132-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/3540-1129-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3540-1130-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3540-1127-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3540-1126-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3540-1125-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3540-213-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-214-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-216-0x0000000002D60000-0x0000000002DAB000-memory.dmp

Filesize
300KB

Download
memory/3540-218-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-220-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3540-222-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-221-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3540-224-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-217-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3540-226-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-228-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-230-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-232-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-234-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-236-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-238-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-240-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-1124-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3540-244-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-246-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-248-0x0000000007740000-0x000000000777F000-memory.dmp

Filesize
252KB

Download
memory/3540-1123-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4288-182-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-169-0x00000000073E0000-0x0000000007984000-memory.dmp

Filesize
5.6MB

Download
memory/4288-188-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-206-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4288-203-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/4288-204-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/4288-184-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-202-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/4288-201-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4288-200-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-198-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-196-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-194-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-186-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-176-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-180-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4288-192-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-190-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-178-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-174-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-173-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4288-172-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/4288-171-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/4288-170-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/4612-1146-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4612-1145-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/4904-161-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download