amadey | f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372

Analysis

max time kernel
127s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe
Size

1.0MB
MD5

41f5ef3b378115bc342abb72354f3ca3
SHA1

c832fdd2d6dd40a3febd747f197248959df26294
SHA256

f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372
SHA512

5d2610a3de099967704c75dd254a00d84c0bf0cda56cbfcf174bed6ee5cccb44869cf8b23c7ed2eac7c3e147f85cdf13d3231f77f2ccc175c7edd28eb4356ac3
SSDEEP

24576:GyN7zNkFgb7oBAe/5OHoeODTpK2VfyFFvCbQerOa:VVqe7oBrBOHODTp1M7vCbQe

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2301.exev0607Wu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0607Wu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0607Wu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0607Wu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2301.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0607Wu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0607Wu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0607Wu.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1248-213-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-215-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-219-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-221-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-223-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-225-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-227-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-229-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-231-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-233-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-235-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-237-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-239-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-241-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-243-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-245-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline
behavioral1/memory/1248-247-0x0000000004D50000-0x0000000004D8F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legenda.exey26ve25.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y26ve25.exe

Executes dropped EXE 11 IoCs

Processes:

zap7636.exezap4840.exezap2744.exetz2301.exev0607Wu.exew08xY25.exexFZrY20.exey26ve25.exelegenda.exelegenda.exelegenda.exe

pid	process
2392	zap7636.exe
2100	zap4840.exe
4516	zap2744.exe
2736	tz2301.exe
3468	v0607Wu.exe
1248	w08xY25.exe
4984	xFZrY20.exe
3412	y26ve25.exe
3856	legenda.exe
4272	legenda.exe
4432	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

264 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
264	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2301.exev0607Wu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2301.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0607Wu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0607Wu.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exezap7636.exezap4840.exezap2744.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7636.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7636.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4840.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2744.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap2744.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3184 3468 WerFault.exe v0607Wu.exe
4912 1248 WerFault.exe w08xY25.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3440 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2301.exev0607Wu.exew08xY25.exexFZrY20.exe

pid process

2736 tz2301.exe
2736 tz2301.exe
3468 v0607Wu.exe
3468 v0607Wu.exe
1248 w08xY25.exe
1248 w08xY25.exe
4984 xFZrY20.exe
4984 xFZrY20.exe

pid	pid_target	process	target process
3184	3468	WerFault.exe	v0607Wu.exe
4912	1248	WerFault.exe	w08xY25.exe

pid	process
3440	schtasks.exe

pid	process
2736	tz2301.exe
2736	tz2301.exe
3468	v0607Wu.exe
3468	v0607Wu.exe
1248	w08xY25.exe
1248	w08xY25.exe
4984	xFZrY20.exe
4984	xFZrY20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2301.exev0607Wu.exew08xY25.exexFZrY20.exe

description	pid	process
Token: SeDebugPrivilege	2736	tz2301.exe
Token: SeDebugPrivilege	3468	v0607Wu.exe
Token: SeDebugPrivilege	1248	w08xY25.exe
Token: SeDebugPrivilege	4984	xFZrY20.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exezap7636.exezap4840.exezap2744.exey26ve25.exelegenda.execmd.exe

description	pid	process	target process
PID 4936 wrote to memory of 2392	4936	f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe	zap7636.exe
PID 4936 wrote to memory of 2392	4936	f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe	zap7636.exe
PID 4936 wrote to memory of 2392	4936	f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe	zap7636.exe
PID 2392 wrote to memory of 2100	2392	zap7636.exe	zap4840.exe
PID 2392 wrote to memory of 2100	2392	zap7636.exe	zap4840.exe
PID 2392 wrote to memory of 2100	2392	zap7636.exe	zap4840.exe
PID 2100 wrote to memory of 4516	2100	zap4840.exe	zap2744.exe
PID 2100 wrote to memory of 4516	2100	zap4840.exe	zap2744.exe
PID 2100 wrote to memory of 4516	2100	zap4840.exe	zap2744.exe
PID 4516 wrote to memory of 2736	4516	zap2744.exe	tz2301.exe
PID 4516 wrote to memory of 2736	4516	zap2744.exe	tz2301.exe
PID 4516 wrote to memory of 3468	4516	zap2744.exe	v0607Wu.exe
PID 4516 wrote to memory of 3468	4516	zap2744.exe	v0607Wu.exe
PID 4516 wrote to memory of 3468	4516	zap2744.exe	v0607Wu.exe
PID 2100 wrote to memory of 1248	2100	zap4840.exe	w08xY25.exe
PID 2100 wrote to memory of 1248	2100	zap4840.exe	w08xY25.exe
PID 2100 wrote to memory of 1248	2100	zap4840.exe	w08xY25.exe
PID 2392 wrote to memory of 4984	2392	zap7636.exe	xFZrY20.exe
PID 2392 wrote to memory of 4984	2392	zap7636.exe	xFZrY20.exe
PID 2392 wrote to memory of 4984	2392	zap7636.exe	xFZrY20.exe
PID 4936 wrote to memory of 3412	4936	f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe	y26ve25.exe
PID 4936 wrote to memory of 3412	4936	f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe	y26ve25.exe
PID 4936 wrote to memory of 3412	4936	f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe	y26ve25.exe
PID 3412 wrote to memory of 3856	3412	y26ve25.exe	legenda.exe
PID 3412 wrote to memory of 3856	3412	y26ve25.exe	legenda.exe
PID 3412 wrote to memory of 3856	3412	y26ve25.exe	legenda.exe
PID 3856 wrote to memory of 3440	3856	legenda.exe	schtasks.exe
PID 3856 wrote to memory of 3440	3856	legenda.exe	schtasks.exe
PID 3856 wrote to memory of 3440	3856	legenda.exe	schtasks.exe
PID 3856 wrote to memory of 944	3856	legenda.exe	cmd.exe
PID 3856 wrote to memory of 944	3856	legenda.exe	cmd.exe
PID 3856 wrote to memory of 944	3856	legenda.exe	cmd.exe
PID 944 wrote to memory of 952	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 952	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 952	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 3924	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 3924	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 3924	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 3740	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 3740	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 3740	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 5088	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 5088	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 5088	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 5076	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 5076	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 5076	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 3116	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 3116	944	cmd.exe	cacls.exe
PID 944 wrote to memory of 3116	944	cmd.exe	cacls.exe
PID 3856 wrote to memory of 264	3856	legenda.exe	rundll32.exe
PID 3856 wrote to memory of 264	3856	legenda.exe	rundll32.exe
PID 3856 wrote to memory of 264	3856	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe
"C:\Users\Admin\AppData\Local\Temp\f4d231224db50356ba7507020c42116807d6abdac803cf2beb0c7a7cb7e84372.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7636.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7636.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4840.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4840.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2744.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2744.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4516

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2301.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2301.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0607Wu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0607Wu.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1080
6⤵
- Program crash
PID:3184

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w08xY25.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w08xY25.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1348
5⤵
- Program crash
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFZrY20.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFZrY20.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y26ve25.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y26ve25.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:952

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3924

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5088

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5076

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3116

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3468 -ip 3468
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1248 -ip 1248
1⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y26ve25.exe
Filesize
235KB

MD5
7f9b9439277288910af50a400b714e3f

SHA1
dbc839690c732173deb0031a722aa7b61990a51a

SHA256
fb8acec540975187b1617c44a5970156c4218626fbd5d6c112d07f99ccc91a2c

SHA512
36edbacc5ef6f5991aa7d205f2a28fc0030bbda40156f36d56f10129b628871ef731b0182040c44b4e547c9baa9dce51538e05b2dfb4068233c70535738887d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y26ve25.exe
Filesize
235KB

MD5
7f9b9439277288910af50a400b714e3f

SHA1
dbc839690c732173deb0031a722aa7b61990a51a

SHA256
fb8acec540975187b1617c44a5970156c4218626fbd5d6c112d07f99ccc91a2c

SHA512
36edbacc5ef6f5991aa7d205f2a28fc0030bbda40156f36d56f10129b628871ef731b0182040c44b4e547c9baa9dce51538e05b2dfb4068233c70535738887d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7636.exe
Filesize
854KB

MD5
336d35421236feb36cb97b1091e286c8

SHA1
39e0c71beb67f11e668431e67127e51a1ac4ba3b

SHA256
eb12d2d281afa69ef3ec7b3e0b4228faf9e4cb6b7a70c39e0d4db19eec0d148d

SHA512
5c750283e9323e28e69e18541f936e46d06c01ecfd6e30d506c3d7e19628848b6b1358fe0760d9808a5c48cc1ed7372bf4b14a871c75047c3163f2f6baeff618

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7636.exe
Filesize
854KB

MD5
336d35421236feb36cb97b1091e286c8

SHA1
39e0c71beb67f11e668431e67127e51a1ac4ba3b

SHA256
eb12d2d281afa69ef3ec7b3e0b4228faf9e4cb6b7a70c39e0d4db19eec0d148d

SHA512
5c750283e9323e28e69e18541f936e46d06c01ecfd6e30d506c3d7e19628848b6b1358fe0760d9808a5c48cc1ed7372bf4b14a871c75047c3163f2f6baeff618

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFZrY20.exe
Filesize
175KB

MD5
a5a496128d09a88a33cbe15692d60169

SHA1
b5d921db796934241a99d9737f80547f4802bfc1

SHA256
acb3901fdb784a0383e941b16ff2579bcb6518bf2531ed7b188c8bba811df5dd

SHA512
89ce471c0815c6082708af78627669388b16974a674616b2279ac0b2ed23cee9018673ddf0fb52988a26a6a719d98584f4dc0f1323e2ccd5b3adb8f0df288988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xFZrY20.exe
Filesize
175KB

MD5
a5a496128d09a88a33cbe15692d60169

SHA1
b5d921db796934241a99d9737f80547f4802bfc1

SHA256
acb3901fdb784a0383e941b16ff2579bcb6518bf2531ed7b188c8bba811df5dd

SHA512
89ce471c0815c6082708af78627669388b16974a674616b2279ac0b2ed23cee9018673ddf0fb52988a26a6a719d98584f4dc0f1323e2ccd5b3adb8f0df288988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4840.exe
Filesize
712KB

MD5
c384ffe6e63c539241bdb4649f3a4933

SHA1
bab6d144c63da9fa33cb9b3437361d6e2d0ef30a

SHA256
1390835da26a84089dfb4f82b9861356a5358ad22479437d61bd1e5c1f0e5a5f

SHA512
f3281a6a35f43752dfa55a9b9f06e14cd220c3eee13aaf98c67534988dd14b2ae30a8d89eb866041eceb9d918f1755a99e78f9fc57c6b6f851ef54177d2f6bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4840.exe
Filesize
712KB

MD5
c384ffe6e63c539241bdb4649f3a4933

SHA1
bab6d144c63da9fa33cb9b3437361d6e2d0ef30a

SHA256
1390835da26a84089dfb4f82b9861356a5358ad22479437d61bd1e5c1f0e5a5f

SHA512
f3281a6a35f43752dfa55a9b9f06e14cd220c3eee13aaf98c67534988dd14b2ae30a8d89eb866041eceb9d918f1755a99e78f9fc57c6b6f851ef54177d2f6bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w08xY25.exe
Filesize
383KB

MD5
22e6689f8ef073c049787b31172c7a22

SHA1
291330821968ca399259a8cd3d45770ac5240666

SHA256
be528aceb9f2467f85becc6a02dcc7ff819d9662833626d0d5293621fb89f94e

SHA512
13d919d9cd5578d4038ed181b27e0eee523ad204a5667fd068f5bc80c6ea731ba31e90462d7c3f088fe429912d2d935d184be688f2f088ff99599c604be31517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w08xY25.exe
Filesize
383KB

MD5
22e6689f8ef073c049787b31172c7a22

SHA1
291330821968ca399259a8cd3d45770ac5240666

SHA256
be528aceb9f2467f85becc6a02dcc7ff819d9662833626d0d5293621fb89f94e

SHA512
13d919d9cd5578d4038ed181b27e0eee523ad204a5667fd068f5bc80c6ea731ba31e90462d7c3f088fe429912d2d935d184be688f2f088ff99599c604be31517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2744.exe
Filesize
352KB

MD5
e8c26364b610035f1b7cf5c8c45f26b6

SHA1
43ccf154288a8a3b6ca3d8ac83fb8d026feb0a09

SHA256
f15bfde98972c1025eab0ab0efba85e8e3c59eb1d6a1e3531ad5d0e2c73b0717

SHA512
52e8cb68aa57efa52445f616743ad1658e621c905efb6361672b0ec33785bd24dfb21045735c6417ae2fa914f3505455955a49c0a34c38640b08c946050701dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap2744.exe
Filesize
352KB

MD5
e8c26364b610035f1b7cf5c8c45f26b6

SHA1
43ccf154288a8a3b6ca3d8ac83fb8d026feb0a09

SHA256
f15bfde98972c1025eab0ab0efba85e8e3c59eb1d6a1e3531ad5d0e2c73b0717

SHA512
52e8cb68aa57efa52445f616743ad1658e621c905efb6361672b0ec33785bd24dfb21045735c6417ae2fa914f3505455955a49c0a34c38640b08c946050701dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2301.exe
Filesize
11KB

MD5
ac5f3f95f50998ac30d02aab76d841b0

SHA1
3d66ecadccbd4409f354bdc0e164202bacbc66ea

SHA256
9fa9cfccc668d1e8f6e3e2a9c307a415e4f1bd70d456fa36afe811cd0f6e3c7d

SHA512
69aa244ef9247159f5a9eed0b64a6c6beb3818d9953129f42fd1b89ae43bd45d6402011d29b590a68251c20f8c6792cf266a8e81b41a135a5797e8b741c77750

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2301.exe
Filesize
11KB

MD5
ac5f3f95f50998ac30d02aab76d841b0

SHA1
3d66ecadccbd4409f354bdc0e164202bacbc66ea

SHA256
9fa9cfccc668d1e8f6e3e2a9c307a415e4f1bd70d456fa36afe811cd0f6e3c7d

SHA512
69aa244ef9247159f5a9eed0b64a6c6beb3818d9953129f42fd1b89ae43bd45d6402011d29b590a68251c20f8c6792cf266a8e81b41a135a5797e8b741c77750

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0607Wu.exe
Filesize
325KB

MD5
cd43ba1125ac9a316d3ccda8d86fdb70

SHA1
deb2031ad25010806b899fb0a1acb6b6e139c1d8

SHA256
4dc25d344c4a03d768dffbdd4f7dc71e7f0bdc7644985f6f92d8b5e674e68cbc

SHA512
b7f85198b27bbaa021020f5f6bcdd7264760c5ca0fb12da3f464d8cc198239fc36403db0ae07de995761b8e5bebfb42e26d6f4aeb53d7f5edd6b2459ad0de124

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0607Wu.exe
Filesize
325KB

MD5
cd43ba1125ac9a316d3ccda8d86fdb70

SHA1
deb2031ad25010806b899fb0a1acb6b6e139c1d8

SHA256
4dc25d344c4a03d768dffbdd4f7dc71e7f0bdc7644985f6f92d8b5e674e68cbc

SHA512
b7f85198b27bbaa021020f5f6bcdd7264760c5ca0fb12da3f464d8cc198239fc36403db0ae07de995761b8e5bebfb42e26d6f4aeb53d7f5edd6b2459ad0de124

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7f9b9439277288910af50a400b714e3f

SHA1
dbc839690c732173deb0031a722aa7b61990a51a

SHA256
fb8acec540975187b1617c44a5970156c4218626fbd5d6c112d07f99ccc91a2c

SHA512
36edbacc5ef6f5991aa7d205f2a28fc0030bbda40156f36d56f10129b628871ef731b0182040c44b4e547c9baa9dce51538e05b2dfb4068233c70535738887d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7f9b9439277288910af50a400b714e3f

SHA1
dbc839690c732173deb0031a722aa7b61990a51a

SHA256
fb8acec540975187b1617c44a5970156c4218626fbd5d6c112d07f99ccc91a2c

SHA512
36edbacc5ef6f5991aa7d205f2a28fc0030bbda40156f36d56f10129b628871ef731b0182040c44b4e547c9baa9dce51538e05b2dfb4068233c70535738887d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7f9b9439277288910af50a400b714e3f

SHA1
dbc839690c732173deb0031a722aa7b61990a51a

SHA256
fb8acec540975187b1617c44a5970156c4218626fbd5d6c112d07f99ccc91a2c

SHA512
36edbacc5ef6f5991aa7d205f2a28fc0030bbda40156f36d56f10129b628871ef731b0182040c44b4e547c9baa9dce51538e05b2dfb4068233c70535738887d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7f9b9439277288910af50a400b714e3f

SHA1
dbc839690c732173deb0031a722aa7b61990a51a

SHA256
fb8acec540975187b1617c44a5970156c4218626fbd5d6c112d07f99ccc91a2c

SHA512
36edbacc5ef6f5991aa7d205f2a28fc0030bbda40156f36d56f10129b628871ef731b0182040c44b4e547c9baa9dce51538e05b2dfb4068233c70535738887d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
7f9b9439277288910af50a400b714e3f

SHA1
dbc839690c732173deb0031a722aa7b61990a51a

SHA256
fb8acec540975187b1617c44a5970156c4218626fbd5d6c112d07f99ccc91a2c

SHA512
36edbacc5ef6f5991aa7d205f2a28fc0030bbda40156f36d56f10129b628871ef731b0182040c44b4e547c9baa9dce51538e05b2dfb4068233c70535738887d6

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/1248-1128-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/1248-243-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-1138-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1248-1136-0x0000000008F40000-0x000000000946C000-memory.dmp

Filesize
5.2MB

Download
memory/1248-1135-0x0000000008D70000-0x0000000008F32000-memory.dmp

Filesize
1.8MB

Download
memory/1248-1134-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1248-1133-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1248-1132-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1248-1131-0x0000000008BF0000-0x0000000008C40000-memory.dmp

Filesize
320KB

Download
memory/1248-1130-0x0000000008B60000-0x0000000008BD6000-memory.dmp

Filesize
472KB

Download
memory/1248-1129-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/1248-1126-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/1248-1125-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1248-1124-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/1248-1123-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/1248-212-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/1248-214-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1248-213-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-216-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1248-215-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-218-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1248-219-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-221-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-223-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-225-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-227-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-229-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-231-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-233-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-235-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-237-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-239-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-241-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-1122-0x0000000007940000-0x0000000007F58000-memory.dmp

Filesize
6.1MB

Download
memory/1248-245-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/1248-247-0x0000000004D50000-0x0000000004D8F000-memory.dmp

Filesize
252KB

Download
memory/2736-164-0x000000001B440000-0x000000001B58E000-memory.dmp

Filesize
1.3MB

Download
memory/2736-161-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/2736-162-0x000000001B440000-0x000000001B58E000-memory.dmp

Filesize
1.3MB

Download
memory/3468-193-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-181-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-183-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-206-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3468-203-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3468-202-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3468-201-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3468-200-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3468-199-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-197-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-195-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-191-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-185-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-205-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3468-187-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-189-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-179-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-177-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-175-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-173-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-172-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3468-171-0x0000000007320000-0x00000000078C4000-memory.dmp

Filesize
5.6MB

Download
memory/3468-170-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/3468-169-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/3468-207-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4984-1144-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4984-1143-0x0000000000A60000-0x0000000000A92000-memory.dmp

Filesize
200KB

Download