amadey | cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae

Analysis

max time kernel
145s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe
Size

1012KB
MD5

874375d1993064c71e69496464d71d94
SHA1

566c4e1bee09f117602f66db79d02374e381bde2
SHA256

cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae
SHA512

fbf5a310f6ec14f4f0d0b333ff9426ce1ec2856cb37da111239fd03f06fa06ad9f7da4487e2245bee9802790fa09eb2ccf1a50dbbf191bc8a9e35536fcda53f0
SSDEEP

24576:YyKDpeof8/dQtAv1pLgChJuRdk+d82ef+ITBvpXg:fK1g/rv3P+azH1vB

Score

10^/10

amadey redline down goga discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

goga

193.233.20.31:4125

Attributes

auth_value
d23290cf37dcc5419576040359a72599

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz9596.exev0697OV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz9596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz9596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0697OV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0697OV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0697OV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0697OV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz9596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz9596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz9596.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz9596.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0697OV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0697OV.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3796-212-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-211-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-216-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-218-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-220-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-222-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-224-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-226-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-228-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-230-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-232-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-234-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-236-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-238-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-240-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-242-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-244-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/3796-246-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y80cM19.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y80cM19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap2836.exezap6162.exezap6734.exetz9596.exev0697OV.exew74Gq18.exexFifL55.exey80cM19.exelegenda.exelegenda.exelegenda.exe

pid	process
4276	zap2836.exe
1888	zap6162.exe
5072	zap6734.exe
4388	tz9596.exe
548	v0697OV.exe
3796	w74Gq18.exe
404	xFifL55.exe
4116	y80cM19.exe
3684	legenda.exe
4444	legenda.exe
4276	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4732 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4732	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz9596.exev0697OV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz9596.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0697OV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0697OV.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2836.exezap6162.exezap6734.execb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2836.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2836.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6162.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6734.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

384 548 WerFault.exe v0697OV.exe
3688 3796 WerFault.exe w74Gq18.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2312 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz9596.exev0697OV.exew74Gq18.exexFifL55.exe

pid process

4388 tz9596.exe
4388 tz9596.exe
548 v0697OV.exe
548 v0697OV.exe
3796 w74Gq18.exe
3796 w74Gq18.exe
404 xFifL55.exe
404 xFifL55.exe

pid	pid_target	process	target process
384	548	WerFault.exe	v0697OV.exe
3688	3796	WerFault.exe	w74Gq18.exe

pid	process
2312	schtasks.exe

pid	process
4388	tz9596.exe
4388	tz9596.exe
548	v0697OV.exe
548	v0697OV.exe
3796	w74Gq18.exe
3796	w74Gq18.exe
404	xFifL55.exe
404	xFifL55.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz9596.exev0697OV.exew74Gq18.exexFifL55.exe

description	pid	process
Token: SeDebugPrivilege	4388	tz9596.exe
Token: SeDebugPrivilege	548	v0697OV.exe
Token: SeDebugPrivilege	3796	w74Gq18.exe
Token: SeDebugPrivilege	404	xFifL55.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exezap2836.exezap6162.exezap6734.exey80cM19.exelegenda.execmd.exe

description	pid	process	target process
PID 1328 wrote to memory of 4276	1328	cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe	zap2836.exe
PID 1328 wrote to memory of 4276	1328	cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe	zap2836.exe
PID 1328 wrote to memory of 4276	1328	cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe	zap2836.exe
PID 4276 wrote to memory of 1888	4276	zap2836.exe	zap6162.exe
PID 4276 wrote to memory of 1888	4276	zap2836.exe	zap6162.exe
PID 4276 wrote to memory of 1888	4276	zap2836.exe	zap6162.exe
PID 1888 wrote to memory of 5072	1888	zap6162.exe	zap6734.exe
PID 1888 wrote to memory of 5072	1888	zap6162.exe	zap6734.exe
PID 1888 wrote to memory of 5072	1888	zap6162.exe	zap6734.exe
PID 5072 wrote to memory of 4388	5072	zap6734.exe	tz9596.exe
PID 5072 wrote to memory of 4388	5072	zap6734.exe	tz9596.exe
PID 5072 wrote to memory of 548	5072	zap6734.exe	v0697OV.exe
PID 5072 wrote to memory of 548	5072	zap6734.exe	v0697OV.exe
PID 5072 wrote to memory of 548	5072	zap6734.exe	v0697OV.exe
PID 1888 wrote to memory of 3796	1888	zap6162.exe	w74Gq18.exe
PID 1888 wrote to memory of 3796	1888	zap6162.exe	w74Gq18.exe
PID 1888 wrote to memory of 3796	1888	zap6162.exe	w74Gq18.exe
PID 4276 wrote to memory of 404	4276	zap2836.exe	xFifL55.exe
PID 4276 wrote to memory of 404	4276	zap2836.exe	xFifL55.exe
PID 4276 wrote to memory of 404	4276	zap2836.exe	xFifL55.exe
PID 1328 wrote to memory of 4116	1328	cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe	y80cM19.exe
PID 1328 wrote to memory of 4116	1328	cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe	y80cM19.exe
PID 1328 wrote to memory of 4116	1328	cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe	y80cM19.exe
PID 4116 wrote to memory of 3684	4116	y80cM19.exe	legenda.exe
PID 4116 wrote to memory of 3684	4116	y80cM19.exe	legenda.exe
PID 4116 wrote to memory of 3684	4116	y80cM19.exe	legenda.exe
PID 3684 wrote to memory of 2312	3684	legenda.exe	schtasks.exe
PID 3684 wrote to memory of 2312	3684	legenda.exe	schtasks.exe
PID 3684 wrote to memory of 2312	3684	legenda.exe	schtasks.exe
PID 3684 wrote to memory of 5056	3684	legenda.exe	cmd.exe
PID 3684 wrote to memory of 5056	3684	legenda.exe	cmd.exe
PID 3684 wrote to memory of 5056	3684	legenda.exe	cmd.exe
PID 5056 wrote to memory of 2680	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 2680	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 2680	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 744	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 744	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 744	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 1016	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 1016	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 1016	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 1284	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 1284	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 1284	5056	cmd.exe	cmd.exe
PID 5056 wrote to memory of 992	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 992	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 992	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 4168	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 4168	5056	cmd.exe	cacls.exe
PID 5056 wrote to memory of 4168	5056	cmd.exe	cacls.exe
PID 3684 wrote to memory of 4732	3684	legenda.exe	rundll32.exe
PID 3684 wrote to memory of 4732	3684	legenda.exe	rundll32.exe
PID 3684 wrote to memory of 4732	3684	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe
"C:\Users\Admin\AppData\Local\Temp\cb3d7fe29fc55f920fa397efc78040f4cad672314474286f4d26cc4f522600ae.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2836.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2836.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6162.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6162.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6734.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6734.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9596.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9596.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0697OV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0697OV.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1088
6⤵
- Program crash
PID:384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w74Gq18.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w74Gq18.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1336
5⤵
- Program crash
PID:3688

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFifL55.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFifL55.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y80cM19.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y80cM19.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2680

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:744

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1284

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:992

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4168

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 548 -ip 548
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3796 -ip 3796
1⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y80cM19.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y80cM19.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2836.exe
Filesize
828KB

MD5
05a9a39212cea9657e27ab81e7c112e8

SHA1
476a8293d74b0c09c62a042e9162f62c5e567ac1

SHA256
7480c1d56e2335eba7ca64d4991fc87daf898e9c2965d9bb089e9028131b9754

SHA512
79cbc705715588eb67ad980635380061b0b2257fa859eceae7e56c6d574b62ba035bc65aec655fcc1e6593cd06e1fc03c3ea303471e0e4825dce8e36f9bccc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2836.exe
Filesize
828KB

MD5
05a9a39212cea9657e27ab81e7c112e8

SHA1
476a8293d74b0c09c62a042e9162f62c5e567ac1

SHA256
7480c1d56e2335eba7ca64d4991fc87daf898e9c2965d9bb089e9028131b9754

SHA512
79cbc705715588eb67ad980635380061b0b2257fa859eceae7e56c6d574b62ba035bc65aec655fcc1e6593cd06e1fc03c3ea303471e0e4825dce8e36f9bccc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFifL55.exe
Filesize
175KB

MD5
834e79ce5b49bb7bc25edd39928edd0d

SHA1
9e4f3409d2c6b8227a915cbe02c6c5d743ef2abb

SHA256
3ecc77ed05720896aabce3b251ccc35d2fe651c21132d1d5dd09e7ac5d0615fe

SHA512
b7cebd169f45874eb23779661358e094085e85ba421007ef2f569e38a7174235d6c0326d8eef25c629483916852519d871dfe0135b85ed1113345948b18ed637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFifL55.exe
Filesize
175KB

MD5
834e79ce5b49bb7bc25edd39928edd0d

SHA1
9e4f3409d2c6b8227a915cbe02c6c5d743ef2abb

SHA256
3ecc77ed05720896aabce3b251ccc35d2fe651c21132d1d5dd09e7ac5d0615fe

SHA512
b7cebd169f45874eb23779661358e094085e85ba421007ef2f569e38a7174235d6c0326d8eef25c629483916852519d871dfe0135b85ed1113345948b18ed637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6162.exe
Filesize
685KB

MD5
fa88eb31c219550d398bc84037850351

SHA1
e1915c0d9874de76b16b28e27118a48f2149f988

SHA256
6ef952294f569db7352590f838a640d6460aefeb45b2b53a2f25e9cd50348998

SHA512
d5a7d578ceef8ce26dcaac04562dd479eb954d3da82c33520058e5d42e1503b5ad4a11f0413b555d7bd0df83647de3e4bc1df6d4945007483f5e470448db676e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6162.exe
Filesize
685KB

MD5
fa88eb31c219550d398bc84037850351

SHA1
e1915c0d9874de76b16b28e27118a48f2149f988

SHA256
6ef952294f569db7352590f838a640d6460aefeb45b2b53a2f25e9cd50348998

SHA512
d5a7d578ceef8ce26dcaac04562dd479eb954d3da82c33520058e5d42e1503b5ad4a11f0413b555d7bd0df83647de3e4bc1df6d4945007483f5e470448db676e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w74Gq18.exe
Filesize
356KB

MD5
27725b587d7b317df9c10670d82e0ca6

SHA1
e54054aef8e240f4d74d2b38b48da58e97b4f684

SHA256
5a268375dfe968e07652916a1b903d9ee1e1f1972f53f57ca74560c1bceb58cd

SHA512
3a36f9474cce0f79c1b66c3cad38747e0ecea55438f536c90a953598cc4face04bc5385134dfdde8b5d3f87d175699b67b6391a1040a66f6b3e3015c5141a0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w74Gq18.exe
Filesize
356KB

MD5
27725b587d7b317df9c10670d82e0ca6

SHA1
e54054aef8e240f4d74d2b38b48da58e97b4f684

SHA256
5a268375dfe968e07652916a1b903d9ee1e1f1972f53f57ca74560c1bceb58cd

SHA512
3a36f9474cce0f79c1b66c3cad38747e0ecea55438f536c90a953598cc4face04bc5385134dfdde8b5d3f87d175699b67b6391a1040a66f6b3e3015c5141a0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6734.exe
Filesize
340KB

MD5
5476ed87b2ac2d63db986f6ce9db64d2

SHA1
e09298a60ac713d8a0a5652c63f57091233f5c2c

SHA256
52b31ed28f1e5f7af291c5490f84c9ec1950a7d19f2e85d47eb4a11f7b5291bf

SHA512
8b4cedfd7c642f90dc3cd79e10b6495b120014abf25f5754600757f384e1030fffaaa0bdee39abef1e35a91be9c14742fbb3214958db47c6074daafd4b5c54ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6734.exe
Filesize
340KB

MD5
5476ed87b2ac2d63db986f6ce9db64d2

SHA1
e09298a60ac713d8a0a5652c63f57091233f5c2c

SHA256
52b31ed28f1e5f7af291c5490f84c9ec1950a7d19f2e85d47eb4a11f7b5291bf

SHA512
8b4cedfd7c642f90dc3cd79e10b6495b120014abf25f5754600757f384e1030fffaaa0bdee39abef1e35a91be9c14742fbb3214958db47c6074daafd4b5c54ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9596.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9596.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0697OV.exe
Filesize
298KB

MD5
951d54682917c49d1eb4823fa82f8237

SHA1
84e2469b1703dc0b068bb5ecad8592e030c5a518

SHA256
4c34be4822239a2119a5a8a57ba28a673e40e55d4a71e0b5506edd8e690e9cbe

SHA512
fb7a3c246190b50801910b02794614e5386ad5f1f740fd8221da099616f82961f8294095ab9a6a7008797642dc5e5c35d0b89308deb813fce3e63c6d9a52057a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0697OV.exe
Filesize
298KB

MD5
951d54682917c49d1eb4823fa82f8237

SHA1
84e2469b1703dc0b068bb5ecad8592e030c5a518

SHA256
4c34be4822239a2119a5a8a57ba28a673e40e55d4a71e0b5506edd8e690e9cbe

SHA512
fb7a3c246190b50801910b02794614e5386ad5f1f740fd8221da099616f82961f8294095ab9a6a7008797642dc5e5c35d0b89308deb813fce3e63c6d9a52057a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/404-1141-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/404-1140-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/548-167-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/548-196-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/548-197-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/548-198-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/548-199-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/548-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/548-201-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/548-202-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/548-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/548-195-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-193-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-191-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-189-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-187-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-185-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-183-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-181-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-179-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-177-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-175-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-173-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-171-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-169-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/548-168-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3796-220-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-236-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-238-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-240-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-242-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-244-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-246-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-1119-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/3796-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3796-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3796-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3796-1123-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/3796-1125-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/3796-1126-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/3796-1127-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/3796-1128-0x0000000008D50000-0x000000000927C000-memory.dmp

Filesize
5.2MB

Download
memory/3796-1129-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/3796-1130-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/3796-1131-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/3796-1132-0x00000000093C0000-0x0000000009436000-memory.dmp

Filesize
472KB

Download
memory/3796-1133-0x0000000009440000-0x0000000009490000-memory.dmp

Filesize
320KB

Download
memory/3796-1135-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/3796-234-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-232-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-230-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-228-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-226-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-224-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-222-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-218-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-214-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/3796-216-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-211-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-212-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/3796-213-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/3796-210-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/3796-209-0x0000000002CA0000-0x0000000002CEB000-memory.dmp

Filesize
300KB

Download
memory/4388-161-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download