amadey | c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f

Analysis

max time kernel
105s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe
Size

1.0MB
MD5

c8db6bda3397c65e71f0e6e744427404
SHA1

98ce80928437f75930908f34f62883689cc0362d
SHA256

c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f
SHA512

88bbb9960711c7d76750a2b45caf95d52b017d065d958a7e7f4224d4d1c2ac04c3f883b5ca0cc6981991bc64b1c1bddb59e9c04cb60ee14e219ef0f1ac73e7e9
SSDEEP

24576:vyiZVsyaAAtpryUmhDHo3VOmeFTdmCGStvEkmN5wQqrfd2u:62AAA7rPmlHo87dtGSFEkQ50f

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz4133.exev8706kH.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8706kH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8706kH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8706kH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8706kH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8706kH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8706kH.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3152-210-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-211-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-214-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-218-0x0000000007300000-0x0000000007310000-memory.dmp	family_redline
behavioral1/memory/3152-219-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-221-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-223-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-225-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-227-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-231-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-229-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-233-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-235-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-237-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-239-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-241-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-243-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-245-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/3152-247-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y57ni91.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y57ni91.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 10 IoCs

Processes:

zap6901.exezap6329.exezap7057.exetz4133.exev8706kH.exew78II05.exexmBOU04.exey57ni91.exelegenda.exelegenda.exe

pid	process
4276	zap6901.exe
4952	zap6329.exe
4348	zap7057.exe
524	tz4133.exe
1932	v8706kH.exe
3152	w78II05.exe
3992	xmBOU04.exe
3256	y57ni91.exe
1200	legenda.exe
4496	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3592 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3592	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz4133.exev8706kH.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4133.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8706kH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8706kH.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exezap6901.exezap6329.exezap7057.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6901.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6329.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6329.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7057.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7057.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1144 1932 WerFault.exe v8706kH.exe
2216 3152 WerFault.exe w78II05.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3728 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz4133.exev8706kH.exew78II05.exexmBOU04.exe

pid process

524 tz4133.exe
524 tz4133.exe
1932 v8706kH.exe
1932 v8706kH.exe
3152 w78II05.exe
3152 w78II05.exe
3992 xmBOU04.exe
3992 xmBOU04.exe

pid	pid_target	process	target process
1144	1932	WerFault.exe	v8706kH.exe
2216	3152	WerFault.exe	w78II05.exe

pid	process
3728	schtasks.exe

pid	process
524	tz4133.exe
524	tz4133.exe
1932	v8706kH.exe
1932	v8706kH.exe
3152	w78II05.exe
3152	w78II05.exe
3992	xmBOU04.exe
3992	xmBOU04.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz4133.exev8706kH.exew78II05.exexmBOU04.exe

description	pid	process
Token: SeDebugPrivilege	524	tz4133.exe
Token: SeDebugPrivilege	1932	v8706kH.exe
Token: SeDebugPrivilege	3152	w78II05.exe
Token: SeDebugPrivilege	3992	xmBOU04.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exezap6901.exezap6329.exezap7057.exey57ni91.exelegenda.execmd.exe

description	pid	process	target process
PID 4456 wrote to memory of 4276	4456	c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe	zap6901.exe
PID 4456 wrote to memory of 4276	4456	c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe	zap6901.exe
PID 4456 wrote to memory of 4276	4456	c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe	zap6901.exe
PID 4276 wrote to memory of 4952	4276	zap6901.exe	zap6329.exe
PID 4276 wrote to memory of 4952	4276	zap6901.exe	zap6329.exe
PID 4276 wrote to memory of 4952	4276	zap6901.exe	zap6329.exe
PID 4952 wrote to memory of 4348	4952	zap6329.exe	zap7057.exe
PID 4952 wrote to memory of 4348	4952	zap6329.exe	zap7057.exe
PID 4952 wrote to memory of 4348	4952	zap6329.exe	zap7057.exe
PID 4348 wrote to memory of 524	4348	zap7057.exe	tz4133.exe
PID 4348 wrote to memory of 524	4348	zap7057.exe	tz4133.exe
PID 4348 wrote to memory of 1932	4348	zap7057.exe	v8706kH.exe
PID 4348 wrote to memory of 1932	4348	zap7057.exe	v8706kH.exe
PID 4348 wrote to memory of 1932	4348	zap7057.exe	v8706kH.exe
PID 4952 wrote to memory of 3152	4952	zap6329.exe	w78II05.exe
PID 4952 wrote to memory of 3152	4952	zap6329.exe	w78II05.exe
PID 4952 wrote to memory of 3152	4952	zap6329.exe	w78II05.exe
PID 4276 wrote to memory of 3992	4276	zap6901.exe	xmBOU04.exe
PID 4276 wrote to memory of 3992	4276	zap6901.exe	xmBOU04.exe
PID 4276 wrote to memory of 3992	4276	zap6901.exe	xmBOU04.exe
PID 4456 wrote to memory of 3256	4456	c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe	y57ni91.exe
PID 4456 wrote to memory of 3256	4456	c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe	y57ni91.exe
PID 4456 wrote to memory of 3256	4456	c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe	y57ni91.exe
PID 3256 wrote to memory of 1200	3256	y57ni91.exe	legenda.exe
PID 3256 wrote to memory of 1200	3256	y57ni91.exe	legenda.exe
PID 3256 wrote to memory of 1200	3256	y57ni91.exe	legenda.exe
PID 1200 wrote to memory of 3728	1200	legenda.exe	schtasks.exe
PID 1200 wrote to memory of 3728	1200	legenda.exe	schtasks.exe
PID 1200 wrote to memory of 3728	1200	legenda.exe	schtasks.exe
PID 1200 wrote to memory of 380	1200	legenda.exe	cmd.exe
PID 1200 wrote to memory of 380	1200	legenda.exe	cmd.exe
PID 1200 wrote to memory of 380	1200	legenda.exe	cmd.exe
PID 380 wrote to memory of 816	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 816	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 816	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 4780	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 4780	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 4780	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 3544	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 3544	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 3544	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 5056	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 5056	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 5056	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 2136	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 2136	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 2136	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 1336	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 1336	380	cmd.exe	cacls.exe
PID 380 wrote to memory of 1336	380	cmd.exe	cacls.exe
PID 1200 wrote to memory of 3592	1200	legenda.exe	rundll32.exe
PID 1200 wrote to memory of 3592	1200	legenda.exe	rundll32.exe
PID 1200 wrote to memory of 3592	1200	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe
"C:\Users\Admin\AppData\Local\Temp\c6b2dcc0c0837aa1c90698b9a8a6e9d9562c44f272d77f4e66d1bf15e7bfb95f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6901.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6901.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6329.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6329.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7057.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7057.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4133.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4133.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8706kH.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8706kH.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1080
6⤵
- Program crash
PID:1144

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w78II05.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w78II05.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1344
5⤵
- Program crash
PID:2216

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xmBOU04.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xmBOU04.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y57ni91.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y57ni91.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:816

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4780

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5056

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:2136

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1336

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1932 -ip 1932
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3152 -ip 3152
1⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y57ni91.exe
Filesize
235KB

MD5
daae1fd2cab48c5d66bdc9ae4997bdc4

SHA1
1c4738cf3918157e80faaf34784236324532a38c

SHA256
af41a6331b0435b8916e229ddb26457d488c10cfce8ce85d32b39e0e17f95e1c

SHA512
14dfb9f3dc39cb3bd66296fd8f631edaf7cbbfbca2fcaf472598f5218518bfc397cfe01a48e943c0620b141bc213bf57232ac9886115cdafed194552e2997501

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y57ni91.exe
Filesize
235KB

MD5
daae1fd2cab48c5d66bdc9ae4997bdc4

SHA1
1c4738cf3918157e80faaf34784236324532a38c

SHA256
af41a6331b0435b8916e229ddb26457d488c10cfce8ce85d32b39e0e17f95e1c

SHA512
14dfb9f3dc39cb3bd66296fd8f631edaf7cbbfbca2fcaf472598f5218518bfc397cfe01a48e943c0620b141bc213bf57232ac9886115cdafed194552e2997501

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6901.exe
Filesize
855KB

MD5
b852820d62016b4c36148b54cf6e5824

SHA1
1179228bb4fc9751480f6ab172607126cd669927

SHA256
7b8d8e286ca037df439bbdc76acb42befdaa49d52eeb8a061538ad9a797a1db3

SHA512
ad69ce700a6558bbe4c7851067cece82de41a6a3a1a133030dad16b3ab19aa733a4ba54f6db3d7bed54c46afec42240d63cdd58b93340d4008642fb65a5f0205

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6901.exe
Filesize
855KB

MD5
b852820d62016b4c36148b54cf6e5824

SHA1
1179228bb4fc9751480f6ab172607126cd669927

SHA256
7b8d8e286ca037df439bbdc76acb42befdaa49d52eeb8a061538ad9a797a1db3

SHA512
ad69ce700a6558bbe4c7851067cece82de41a6a3a1a133030dad16b3ab19aa733a4ba54f6db3d7bed54c46afec42240d63cdd58b93340d4008642fb65a5f0205

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xmBOU04.exe
Filesize
175KB

MD5
757f95f4fe499832e73e84871ae96bdb

SHA1
55e3a338753cd6040da95d9f38bb8071bd385b9a

SHA256
733b3657959931c5e5fe0a809914768e9043540dac657b6117850fd7dc8f1f39

SHA512
b54f7b103bd72103251daece4055f7caa7cec8b5f3321c0299c78261ef4100bda8b7ab6cda09a4586c553ee05e68a5864c859c0b25ddfe898a027aeae5ac9eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xmBOU04.exe
Filesize
175KB

MD5
757f95f4fe499832e73e84871ae96bdb

SHA1
55e3a338753cd6040da95d9f38bb8071bd385b9a

SHA256
733b3657959931c5e5fe0a809914768e9043540dac657b6117850fd7dc8f1f39

SHA512
b54f7b103bd72103251daece4055f7caa7cec8b5f3321c0299c78261ef4100bda8b7ab6cda09a4586c553ee05e68a5864c859c0b25ddfe898a027aeae5ac9eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6329.exe
Filesize
712KB

MD5
658ec19655c8809d14b4954047fc6e4f

SHA1
bf787bb3cc4fc8c6613e1ed7c83cfa6e5765fe0c

SHA256
3045eb211d2c1147959555c9e322adf5025ba24d99fc7d260e83e161e86e9803

SHA512
0da06b1e1454f6cab54138f5fedb3faf8cff9f38925b452854fc9da006a65b6de2d97b0cf8ceb4c29cd61222843ec29fb13a9c1c01b2c39fc3f9f4f0723513f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6329.exe
Filesize
712KB

MD5
658ec19655c8809d14b4954047fc6e4f

SHA1
bf787bb3cc4fc8c6613e1ed7c83cfa6e5765fe0c

SHA256
3045eb211d2c1147959555c9e322adf5025ba24d99fc7d260e83e161e86e9803

SHA512
0da06b1e1454f6cab54138f5fedb3faf8cff9f38925b452854fc9da006a65b6de2d97b0cf8ceb4c29cd61222843ec29fb13a9c1c01b2c39fc3f9f4f0723513f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w78II05.exe
Filesize
383KB

MD5
2117599cc9a05e6fbac542c4376724eb

SHA1
2583f73e75f4087f95570bded15e154b92d93e70

SHA256
8359295d78902f002936b5b47a271b3d5da611c6cde951d28d6277565d630547

SHA512
6ac78874d951cbf03fbb5a5522c1b595d7a6232a3b465e884df81cbd1393540af6a307c9499b2d305009e6082afd8ffd99d4b035b33f510aa5cc8a6d1d8b71e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w78II05.exe
Filesize
383KB

MD5
2117599cc9a05e6fbac542c4376724eb

SHA1
2583f73e75f4087f95570bded15e154b92d93e70

SHA256
8359295d78902f002936b5b47a271b3d5da611c6cde951d28d6277565d630547

SHA512
6ac78874d951cbf03fbb5a5522c1b595d7a6232a3b465e884df81cbd1393540af6a307c9499b2d305009e6082afd8ffd99d4b035b33f510aa5cc8a6d1d8b71e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7057.exe
Filesize
352KB

MD5
55f5ea40bea2d73b3ff7ae529fe3e3a6

SHA1
c46a1429c135a46900980e979de51c216dab8d30

SHA256
70bdfee9a4b902d694af31a81ee49472831a457c12c80119e62f74279aee4cd1

SHA512
ca01f57798a78c731c6ce565102b7719311dbfecd123084de396cfd9f6593a0d1d74fe7a0ebaafc2bf4bc30c8ef267af358c33ba7f853fdb4a79e68325e9db51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7057.exe
Filesize
352KB

MD5
55f5ea40bea2d73b3ff7ae529fe3e3a6

SHA1
c46a1429c135a46900980e979de51c216dab8d30

SHA256
70bdfee9a4b902d694af31a81ee49472831a457c12c80119e62f74279aee4cd1

SHA512
ca01f57798a78c731c6ce565102b7719311dbfecd123084de396cfd9f6593a0d1d74fe7a0ebaafc2bf4bc30c8ef267af358c33ba7f853fdb4a79e68325e9db51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4133.exe
Filesize
11KB

MD5
e52cdda5b72a65fc8e9ed444b985ba79

SHA1
2f3900f64405c86a4bceb182b582120a4f3c2cd9

SHA256
8cdcd4459a2b8a7fe39c45558442c5325ee0a87ed9addec6d62cc7e423656f94

SHA512
7cbe852f1d40a60dddd0c3569301717378b0241764e2c30026265ec68aed0cec1498bf93f4af0f04bc1c35eb13c5646447fb395f42a8dd4963d2125a642cf699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4133.exe
Filesize
11KB

MD5
e52cdda5b72a65fc8e9ed444b985ba79

SHA1
2f3900f64405c86a4bceb182b582120a4f3c2cd9

SHA256
8cdcd4459a2b8a7fe39c45558442c5325ee0a87ed9addec6d62cc7e423656f94

SHA512
7cbe852f1d40a60dddd0c3569301717378b0241764e2c30026265ec68aed0cec1498bf93f4af0f04bc1c35eb13c5646447fb395f42a8dd4963d2125a642cf699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8706kH.exe
Filesize
325KB

MD5
d518ed8eb8b47b6fff77f93264b61d49

SHA1
0c80acd81cf200a2ce40b02511c2a75cd794636a

SHA256
e236989b867bbf8800ca95202a94a82632e9dd4aa745a9c808394bb609bda787

SHA512
4ab33f78ffda8497fdb8e97ebbafc0a63a72593ecb77583f2b6b7f99a032a808987d43d3825ec7108d7f217ff147952571781b61cfa16671fa0900ae23302808

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8706kH.exe
Filesize
325KB

MD5
d518ed8eb8b47b6fff77f93264b61d49

SHA1
0c80acd81cf200a2ce40b02511c2a75cd794636a

SHA256
e236989b867bbf8800ca95202a94a82632e9dd4aa745a9c808394bb609bda787

SHA512
4ab33f78ffda8497fdb8e97ebbafc0a63a72593ecb77583f2b6b7f99a032a808987d43d3825ec7108d7f217ff147952571781b61cfa16671fa0900ae23302808

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
daae1fd2cab48c5d66bdc9ae4997bdc4

SHA1
1c4738cf3918157e80faaf34784236324532a38c

SHA256
af41a6331b0435b8916e229ddb26457d488c10cfce8ce85d32b39e0e17f95e1c

SHA512
14dfb9f3dc39cb3bd66296fd8f631edaf7cbbfbca2fcaf472598f5218518bfc397cfe01a48e943c0620b141bc213bf57232ac9886115cdafed194552e2997501

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
daae1fd2cab48c5d66bdc9ae4997bdc4

SHA1
1c4738cf3918157e80faaf34784236324532a38c

SHA256
af41a6331b0435b8916e229ddb26457d488c10cfce8ce85d32b39e0e17f95e1c

SHA512
14dfb9f3dc39cb3bd66296fd8f631edaf7cbbfbca2fcaf472598f5218518bfc397cfe01a48e943c0620b141bc213bf57232ac9886115cdafed194552e2997501

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
daae1fd2cab48c5d66bdc9ae4997bdc4

SHA1
1c4738cf3918157e80faaf34784236324532a38c

SHA256
af41a6331b0435b8916e229ddb26457d488c10cfce8ce85d32b39e0e17f95e1c

SHA512
14dfb9f3dc39cb3bd66296fd8f631edaf7cbbfbca2fcaf472598f5218518bfc397cfe01a48e943c0620b141bc213bf57232ac9886115cdafed194552e2997501

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
daae1fd2cab48c5d66bdc9ae4997bdc4

SHA1
1c4738cf3918157e80faaf34784236324532a38c

SHA256
af41a6331b0435b8916e229ddb26457d488c10cfce8ce85d32b39e0e17f95e1c

SHA512
14dfb9f3dc39cb3bd66296fd8f631edaf7cbbfbca2fcaf472598f5218518bfc397cfe01a48e943c0620b141bc213bf57232ac9886115cdafed194552e2997501

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/524-161-0x0000000000ED0000-0x0000000000EDA000-memory.dmp

Filesize
40KB

Download
memory/1932-182-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-186-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-188-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-190-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-192-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-194-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-196-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-197-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1932-198-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1932-199-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1932-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1932-202-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1932-203-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1932-204-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/1932-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1932-184-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-180-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-178-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-176-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-174-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-172-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-170-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-169-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1932-168-0x0000000007230000-0x00000000077D4000-memory.dmp

Filesize
5.6MB

Download
memory/1932-167-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/3152-215-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3152-1128-0x0000000008A40000-0x0000000008C02000-memory.dmp

Filesize
1.8MB

Download
memory/3152-231-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-229-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-233-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-235-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-237-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-239-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-241-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-243-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-245-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-247-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-1120-0x00000000078C0000-0x0000000007ED8000-memory.dmp

Filesize
6.1MB

Download
memory/3152-1121-0x0000000007EE0000-0x0000000007FEA000-memory.dmp

Filesize
1.0MB

Download
memory/3152-1122-0x0000000007280000-0x0000000007292000-memory.dmp

Filesize
72KB

Download
memory/3152-1123-0x00000000072A0000-0x00000000072DC000-memory.dmp

Filesize
240KB

Download
memory/3152-1124-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3152-1126-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/3152-1127-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/3152-227-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-1129-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3152-1130-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3152-1131-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3152-1132-0x0000000008C10000-0x000000000913C000-memory.dmp

Filesize
5.2MB

Download
memory/3152-1133-0x00000000093B0000-0x0000000009426000-memory.dmp

Filesize
472KB

Download
memory/3152-1134-0x0000000009440000-0x0000000009490000-memory.dmp

Filesize
320KB

Download
memory/3152-1135-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3152-210-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-211-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-225-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-223-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-221-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-219-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3152-216-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3152-218-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3152-213-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/3152-214-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/3992-1142-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3992-1141-0x0000000000B60000-0x0000000000B92000-memory.dmp

Filesize
200KB

Download