amadey | 5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9

Analysis

max time kernel
132s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe
Size

1.0MB
MD5

1f1e1d363ea2d80c12a4c0c392090d53
SHA1

40fb1aeba8dabd37a42d0662e35e40fe7cd765b8
SHA256

5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9
SHA512

42515f41cdd289279bcf4f90653e511b2f1b054efd15d14d191e6dc96a396b70403aa7cee0f2bb64506c21ee9a402d73ae6d2261e79f9234fbf575305934bc94
SSDEEP

24576:ayZJXIInMcrparXovna3cPnQp/WM4jDfKF:hZJ/9EovnaiQ/WzffK

Score

10^/10

amadey redline boris lida discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lida

193.233.20.32:4125

Attributes

auth_value
24052aa2e9b85984a98d80cf08623e8d

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v3914Uh.exetz0018.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3914Uh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3914Uh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz0018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz0018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz0018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz0018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz0018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3914Uh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3914Uh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz0018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3914Uh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3914Uh.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3772-212-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-213-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-215-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-217-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-219-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-221-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-223-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-225-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-227-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-229-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-231-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-233-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-235-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-238-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-240-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-242-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-244-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/3772-246-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y46Sg86.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y46Sg86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap3779.exezap0337.exezap3366.exetz0018.exev3914Uh.exew00ZS14.exexqsVT91.exey46Sg86.exelegenda.exelegenda.exelegenda.exe

pid	process
1476	zap3779.exe
3584	zap0337.exe
2512	zap3366.exe
2340	tz0018.exe
1188	v3914Uh.exe
3772	w00ZS14.exe
4564	xqsVT91.exe
3632	y46Sg86.exe
1820	legenda.exe
4772	legenda.exe
232	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4256 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4256	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz0018.exev3914Uh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz0018.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3914Uh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3914Uh.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exezap3779.exezap0337.exezap3366.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap3779.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap0337.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3366.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1616 1188 WerFault.exe v3914Uh.exe
1188 3772 WerFault.exe w00ZS14.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4064 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz0018.exev3914Uh.exew00ZS14.exexqsVT91.exe

pid process

2340 tz0018.exe
2340 tz0018.exe
1188 v3914Uh.exe
1188 v3914Uh.exe
3772 w00ZS14.exe
3772 w00ZS14.exe
4564 xqsVT91.exe
4564 xqsVT91.exe

pid	pid_target	process	target process
1616	1188	WerFault.exe	v3914Uh.exe
1188	3772	WerFault.exe	w00ZS14.exe

pid	process
4064	schtasks.exe

pid	process
2340	tz0018.exe
2340	tz0018.exe
1188	v3914Uh.exe
1188	v3914Uh.exe
3772	w00ZS14.exe
3772	w00ZS14.exe
4564	xqsVT91.exe
4564	xqsVT91.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz0018.exev3914Uh.exew00ZS14.exexqsVT91.exe

description	pid	process
Token: SeDebugPrivilege	2340	tz0018.exe
Token: SeDebugPrivilege	1188	v3914Uh.exe
Token: SeDebugPrivilege	3772	w00ZS14.exe
Token: SeDebugPrivilege	4564	xqsVT91.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exezap3779.exezap0337.exezap3366.exey46Sg86.exelegenda.execmd.exe

description	pid	process	target process
PID 5084 wrote to memory of 1476	5084	5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe	zap3779.exe
PID 5084 wrote to memory of 1476	5084	5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe	zap3779.exe
PID 5084 wrote to memory of 1476	5084	5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe	zap3779.exe
PID 1476 wrote to memory of 3584	1476	zap3779.exe	zap0337.exe
PID 1476 wrote to memory of 3584	1476	zap3779.exe	zap0337.exe
PID 1476 wrote to memory of 3584	1476	zap3779.exe	zap0337.exe
PID 3584 wrote to memory of 2512	3584	zap0337.exe	zap3366.exe
PID 3584 wrote to memory of 2512	3584	zap0337.exe	zap3366.exe
PID 3584 wrote to memory of 2512	3584	zap0337.exe	zap3366.exe
PID 2512 wrote to memory of 2340	2512	zap3366.exe	tz0018.exe
PID 2512 wrote to memory of 2340	2512	zap3366.exe	tz0018.exe
PID 2512 wrote to memory of 1188	2512	zap3366.exe	v3914Uh.exe
PID 2512 wrote to memory of 1188	2512	zap3366.exe	v3914Uh.exe
PID 2512 wrote to memory of 1188	2512	zap3366.exe	v3914Uh.exe
PID 3584 wrote to memory of 3772	3584	zap0337.exe	w00ZS14.exe
PID 3584 wrote to memory of 3772	3584	zap0337.exe	w00ZS14.exe
PID 3584 wrote to memory of 3772	3584	zap0337.exe	w00ZS14.exe
PID 1476 wrote to memory of 4564	1476	zap3779.exe	xqsVT91.exe
PID 1476 wrote to memory of 4564	1476	zap3779.exe	xqsVT91.exe
PID 1476 wrote to memory of 4564	1476	zap3779.exe	xqsVT91.exe
PID 5084 wrote to memory of 3632	5084	5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe	y46Sg86.exe
PID 5084 wrote to memory of 3632	5084	5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe	y46Sg86.exe
PID 5084 wrote to memory of 3632	5084	5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe	y46Sg86.exe
PID 3632 wrote to memory of 1820	3632	y46Sg86.exe	legenda.exe
PID 3632 wrote to memory of 1820	3632	y46Sg86.exe	legenda.exe
PID 3632 wrote to memory of 1820	3632	y46Sg86.exe	legenda.exe
PID 1820 wrote to memory of 4064	1820	legenda.exe	schtasks.exe
PID 1820 wrote to memory of 4064	1820	legenda.exe	schtasks.exe
PID 1820 wrote to memory of 4064	1820	legenda.exe	schtasks.exe
PID 1820 wrote to memory of 2352	1820	legenda.exe	cmd.exe
PID 1820 wrote to memory of 2352	1820	legenda.exe	cmd.exe
PID 1820 wrote to memory of 2352	1820	legenda.exe	cmd.exe
PID 2352 wrote to memory of 544	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 544	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 544	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2028	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 2028	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 2028	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3696	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3696	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3696	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 1736	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1736	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1736	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4412	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 4412	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 4412	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3572	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3572	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3572	2352	cmd.exe	cacls.exe
PID 1820 wrote to memory of 4256	1820	legenda.exe	rundll32.exe
PID 1820 wrote to memory of 4256	1820	legenda.exe	rundll32.exe
PID 1820 wrote to memory of 4256	1820	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe
"C:\Users\Admin\AppData\Local\Temp\5493465b87a1b4405ece751e97e62a535e1714bd0ca39c2a49157e4e0278acc9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3779.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3779.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0337.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0337.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3366.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3366.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0018.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0018.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3914Uh.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3914Uh.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 1084
6⤵
- Program crash
PID:1616

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w00ZS14.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w00ZS14.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1808
5⤵
- Program crash
PID:1188

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqsVT91.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqsVT91.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y46Sg86.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y46Sg86.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:544

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:2028

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1736

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4412

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3572

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1188 -ip 1188
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3772 -ip 3772
1⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y46Sg86.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y46Sg86.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3779.exe
Filesize
857KB

MD5
b87db3a6f75aeb77d640745aee6a557d

SHA1
0fc118aadd061c94ecb8cd9a479d8a7e5cc62350

SHA256
7abcf4dfad28efbbc3901ae886c34d42f82c65aa5bf507078af1030e093ac043

SHA512
73de212d808fdb956948add25c3f8f31cfe6bc5ec87628f664d9420778fea05990d81e23ed0b72de60b4826b9f7faf7ccc5d15e71173e95a5c6c98cffe04ad43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3779.exe
Filesize
857KB

MD5
b87db3a6f75aeb77d640745aee6a557d

SHA1
0fc118aadd061c94ecb8cd9a479d8a7e5cc62350

SHA256
7abcf4dfad28efbbc3901ae886c34d42f82c65aa5bf507078af1030e093ac043

SHA512
73de212d808fdb956948add25c3f8f31cfe6bc5ec87628f664d9420778fea05990d81e23ed0b72de60b4826b9f7faf7ccc5d15e71173e95a5c6c98cffe04ad43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqsVT91.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xqsVT91.exe
Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0337.exe
Filesize
715KB

MD5
04dad66888a899f2d92a98f65479312a

SHA1
9effa9370338874f6b51672329083a7833c86cc0

SHA256
ecc91710093d182b971cdb747f660e96fe698feabd68ac6f9d967ec997f93a5a

SHA512
948cec6a22814a722985885cf7ba00e3bc3cbef346728e1bc4613ccbe2bd50845d4b3a866f218214a9d8ec216f80c5a84a236fcbc4879cbf84ba0ea2662136c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap0337.exe
Filesize
715KB

MD5
04dad66888a899f2d92a98f65479312a

SHA1
9effa9370338874f6b51672329083a7833c86cc0

SHA256
ecc91710093d182b971cdb747f660e96fe698feabd68ac6f9d967ec997f93a5a

SHA512
948cec6a22814a722985885cf7ba00e3bc3cbef346728e1bc4613ccbe2bd50845d4b3a866f218214a9d8ec216f80c5a84a236fcbc4879cbf84ba0ea2662136c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w00ZS14.exe
Filesize
387KB

MD5
717af2073f6e8eb38accb8ce43b4004a

SHA1
a421761e9476551b8f055766133be7e4d6a65721

SHA256
ee10dfe8bb9a2a7ca4ed651167dccec032e632d173527cc8963305283fc0bdeb

SHA512
bc5d7a3c1c0c859ea43380308da60b8b3ed3d4f489f387306497a748434270c7a9f07c914a0ce44001ca4d1b62c42fc286e87af70511794c933bbffd88e62b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w00ZS14.exe
Filesize
387KB

MD5
717af2073f6e8eb38accb8ce43b4004a

SHA1
a421761e9476551b8f055766133be7e4d6a65721

SHA256
ee10dfe8bb9a2a7ca4ed651167dccec032e632d173527cc8963305283fc0bdeb

SHA512
bc5d7a3c1c0c859ea43380308da60b8b3ed3d4f489f387306497a748434270c7a9f07c914a0ce44001ca4d1b62c42fc286e87af70511794c933bbffd88e62b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3366.exe
Filesize
355KB

MD5
4b03da91cad16198b0a3a8a9b47a082b

SHA1
4aefb621fd3d848e2579a332cccd3d768921ee0a

SHA256
41541f50ed213140508db921624987625fb53a0db99e5c880c08b8a75d752d63

SHA512
9e0a0cbdfb35c8b32c3a0826c008f855d70e1113a6f777a57e9a553092016328eed3268ddd671bdb9b63f51c137cad165cbae8eceb6f0fe0c50412a045bbad9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3366.exe
Filesize
355KB

MD5
4b03da91cad16198b0a3a8a9b47a082b

SHA1
4aefb621fd3d848e2579a332cccd3d768921ee0a

SHA256
41541f50ed213140508db921624987625fb53a0db99e5c880c08b8a75d752d63

SHA512
9e0a0cbdfb35c8b32c3a0826c008f855d70e1113a6f777a57e9a553092016328eed3268ddd671bdb9b63f51c137cad165cbae8eceb6f0fe0c50412a045bbad9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0018.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0018.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3914Uh.exe
Filesize
329KB

MD5
88bbd16669e3726d5cb70299678318a3

SHA1
17d0538f93c7cce34cb7d49e5f4c007ad7160c5b

SHA256
9403d46228fba5578d627c139de464b08f5a11e0a4a4ebbc1f42c3ec788c9d3a

SHA512
a69ec2d68af0be69fa7704d8b66219198f5a608c297444696478866c2a4053247d1f0f1b19ea16fa39fd6feb693e0343b2cf6cd9422a72ee7b3e0e10aceb6390

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3914Uh.exe
Filesize
329KB

MD5
88bbd16669e3726d5cb70299678318a3

SHA1
17d0538f93c7cce34cb7d49e5f4c007ad7160c5b

SHA256
9403d46228fba5578d627c139de464b08f5a11e0a4a4ebbc1f42c3ec788c9d3a

SHA512
a69ec2d68af0be69fa7704d8b66219198f5a608c297444696478866c2a4053247d1f0f1b19ea16fa39fd6feb693e0343b2cf6cd9422a72ee7b3e0e10aceb6390

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1188-185-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-187-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-191-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-193-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-195-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-197-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-199-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-200-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1188-201-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1188-202-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1188-204-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1188-205-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1188-167-0x00000000071E0000-0x0000000007784000-memory.dmp

Filesize
5.6MB

Download
memory/1188-189-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-183-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-181-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-179-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-177-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-175-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-173-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-172-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/1188-171-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1188-170-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1188-169-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1188-168-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download
memory/2340-161-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/3772-219-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-1131-0x0000000008E50000-0x000000000937C000-memory.dmp

Filesize
5.2MB

Download
memory/3772-235-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-238-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-240-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-242-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-244-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-246-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-1119-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/3772-1120-0x0000000007FD0000-0x00000000080DA000-memory.dmp

Filesize
1.0MB

Download
memory/3772-1121-0x00000000072C0000-0x00000000072D2000-memory.dmp

Filesize
72KB

Download
memory/3772-1122-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3772-1123-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/3772-1125-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3772-1126-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3772-1127-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3772-1128-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3772-1129-0x0000000008C80000-0x0000000008E42000-memory.dmp

Filesize
1.8MB

Download
memory/3772-1130-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3772-236-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3772-1132-0x0000000009610000-0x0000000009686000-memory.dmp

Filesize
472KB

Download
memory/3772-1133-0x0000000009690000-0x00000000096E0000-memory.dmp

Filesize
320KB

Download
memory/3772-1134-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3772-233-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-231-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-210-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/3772-211-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/3772-229-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-227-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-225-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-223-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-221-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-217-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-215-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-213-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/3772-212-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/4564-1141-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/4564-1140-0x0000000000540000-0x0000000000572000-memory.dmp

Filesize
200KB

Download