amadey | 2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0

Analysis

max time kernel
115s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe
Size

1.0MB
MD5

d8c6359a610074a015bfa40cab0e2ceb
SHA1

748be23f892780a05aac2434e1485c4d37c3e484
SHA256

2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0
SHA512

42a08fc2fbeb412379a7649a3600f37b2b3c2ef0ccbf7cf3f710865c67f46497f86ff4b662f71090996ecb26e2d38eb37cd97d7e867c2b943df888b6a70f6d2c
SSDEEP

24576:2yDHB596MCqBg10TKLTIvayN1gI9oJ9v:FDYMCUgiTKU1b9oJ9

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v3996Kd.exetz5538.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3996Kd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3996Kd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz5538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz5538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3996Kd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3996Kd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3996Kd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3996Kd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz5538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz5538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz5538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz5538.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/552-210-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-211-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-213-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-215-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-217-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-219-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-221-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-223-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-225-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-227-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-229-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-231-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-233-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-237-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-238-0x00000000072C0000-0x00000000072D0000-memory.dmp	family_redline
behavioral1/memory/552-243-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-241-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-245-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline
behavioral1/memory/552-247-0x0000000007150000-0x000000000718F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y11aS35.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y11aS35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 10 IoCs

Processes:

zap6604.exezap9284.exezap3468.exetz5538.exev3996Kd.exew16Ju02.exexdRJd08.exey11aS35.exelegenda.exelegenda.exe

pid	process
4868	zap6604.exe
3124	zap9284.exe
3416	zap3468.exe
2060	tz5538.exe
1120	v3996Kd.exe
552	w16Ju02.exe
3492	xdRJd08.exe
1316	y11aS35.exe
4360	legenda.exe
3448	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

320 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
320	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz5538.exev3996Kd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz5538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3996Kd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3996Kd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap6604.exezap9284.exezap3468.exe2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6604.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9284.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap9284.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3468.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3884 1120 WerFault.exe v3996Kd.exe
4108 552 WerFault.exe w16Ju02.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4928 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz5538.exev3996Kd.exew16Ju02.exexdRJd08.exe

pid process

2060 tz5538.exe
2060 tz5538.exe
1120 v3996Kd.exe
1120 v3996Kd.exe
552 w16Ju02.exe
552 w16Ju02.exe
3492 xdRJd08.exe
3492 xdRJd08.exe

pid	pid_target	process	target process
3884	1120	WerFault.exe	v3996Kd.exe
4108	552	WerFault.exe	w16Ju02.exe

pid	process
4928	schtasks.exe

pid	process
2060	tz5538.exe
2060	tz5538.exe
1120	v3996Kd.exe
1120	v3996Kd.exe
552	w16Ju02.exe
552	w16Ju02.exe
3492	xdRJd08.exe
3492	xdRJd08.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz5538.exev3996Kd.exew16Ju02.exexdRJd08.exe

description	pid	process
Token: SeDebugPrivilege	2060	tz5538.exe
Token: SeDebugPrivilege	1120	v3996Kd.exe
Token: SeDebugPrivilege	552	w16Ju02.exe
Token: SeDebugPrivilege	3492	xdRJd08.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exezap6604.exezap9284.exezap3468.exey11aS35.exelegenda.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 4868	1612	2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe	zap6604.exe
PID 1612 wrote to memory of 4868	1612	2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe	zap6604.exe
PID 1612 wrote to memory of 4868	1612	2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe	zap6604.exe
PID 4868 wrote to memory of 3124	4868	zap6604.exe	zap9284.exe
PID 4868 wrote to memory of 3124	4868	zap6604.exe	zap9284.exe
PID 4868 wrote to memory of 3124	4868	zap6604.exe	zap9284.exe
PID 3124 wrote to memory of 3416	3124	zap9284.exe	zap3468.exe
PID 3124 wrote to memory of 3416	3124	zap9284.exe	zap3468.exe
PID 3124 wrote to memory of 3416	3124	zap9284.exe	zap3468.exe
PID 3416 wrote to memory of 2060	3416	zap3468.exe	tz5538.exe
PID 3416 wrote to memory of 2060	3416	zap3468.exe	tz5538.exe
PID 3416 wrote to memory of 1120	3416	zap3468.exe	v3996Kd.exe
PID 3416 wrote to memory of 1120	3416	zap3468.exe	v3996Kd.exe
PID 3416 wrote to memory of 1120	3416	zap3468.exe	v3996Kd.exe
PID 3124 wrote to memory of 552	3124	zap9284.exe	w16Ju02.exe
PID 3124 wrote to memory of 552	3124	zap9284.exe	w16Ju02.exe
PID 3124 wrote to memory of 552	3124	zap9284.exe	w16Ju02.exe
PID 4868 wrote to memory of 3492	4868	zap6604.exe	xdRJd08.exe
PID 4868 wrote to memory of 3492	4868	zap6604.exe	xdRJd08.exe
PID 4868 wrote to memory of 3492	4868	zap6604.exe	xdRJd08.exe
PID 1612 wrote to memory of 1316	1612	2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe	y11aS35.exe
PID 1612 wrote to memory of 1316	1612	2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe	y11aS35.exe
PID 1612 wrote to memory of 1316	1612	2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe	y11aS35.exe
PID 1316 wrote to memory of 4360	1316	y11aS35.exe	legenda.exe
PID 1316 wrote to memory of 4360	1316	y11aS35.exe	legenda.exe
PID 1316 wrote to memory of 4360	1316	y11aS35.exe	legenda.exe
PID 4360 wrote to memory of 4928	4360	legenda.exe	schtasks.exe
PID 4360 wrote to memory of 4928	4360	legenda.exe	schtasks.exe
PID 4360 wrote to memory of 4928	4360	legenda.exe	schtasks.exe
PID 4360 wrote to memory of 3868	4360	legenda.exe	cmd.exe
PID 4360 wrote to memory of 3868	4360	legenda.exe	cmd.exe
PID 4360 wrote to memory of 3868	4360	legenda.exe	cmd.exe
PID 3868 wrote to memory of 1084	3868	cmd.exe	cmd.exe
PID 3868 wrote to memory of 1084	3868	cmd.exe	cmd.exe
PID 3868 wrote to memory of 1084	3868	cmd.exe	cmd.exe
PID 3868 wrote to memory of 4976	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 4976	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 4976	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 1980	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 1980	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 1980	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 4188	3868	cmd.exe	cmd.exe
PID 3868 wrote to memory of 4188	3868	cmd.exe	cmd.exe
PID 3868 wrote to memory of 4188	3868	cmd.exe	cmd.exe
PID 3868 wrote to memory of 4964	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 4964	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 4964	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 1952	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 1952	3868	cmd.exe	cacls.exe
PID 3868 wrote to memory of 1952	3868	cmd.exe	cacls.exe
PID 4360 wrote to memory of 320	4360	legenda.exe	rundll32.exe
PID 4360 wrote to memory of 320	4360	legenda.exe	rundll32.exe
PID 4360 wrote to memory of 320	4360	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe
"C:\Users\Admin\AppData\Local\Temp\2be58da3236d979e3a993f89211dc272a4f9dcc4b32618bd7bf411bbd4f8a5a0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6604.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6604.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9284.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9284.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3468.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3468.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5538.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5538.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3996Kd.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3996Kd.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1080
6⤵
- Program crash
PID:3884

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w16Ju02.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w16Ju02.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1796
5⤵
- Program crash
PID:4108

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdRJd08.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdRJd08.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11aS35.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11aS35.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1084

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4976

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4188

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4964

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1952

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1120 -ip 1120
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 552 -ip 552
1⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11aS35.exe
Filesize
235KB

MD5
1048c110084d14f19f0f6342e7fe724b

SHA1
1b5f3bb53cd146562159528c38dcda30c153c57d

SHA256
f8d97766d7520fae9e0e6ba62fa105bfc179224b75e22056c1f7e3893a1979b2

SHA512
a4c0e1b78b7e7c574a50650bb185b8366322b040c6b5ac127b838ea189aecc6710e58a31a5a2808ad2e9f3f0e57cfa9646f8bc1cbb474e9c76d2028fabf64b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y11aS35.exe
Filesize
235KB

MD5
1048c110084d14f19f0f6342e7fe724b

SHA1
1b5f3bb53cd146562159528c38dcda30c153c57d

SHA256
f8d97766d7520fae9e0e6ba62fa105bfc179224b75e22056c1f7e3893a1979b2

SHA512
a4c0e1b78b7e7c574a50650bb185b8366322b040c6b5ac127b838ea189aecc6710e58a31a5a2808ad2e9f3f0e57cfa9646f8bc1cbb474e9c76d2028fabf64b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6604.exe
Filesize
854KB

MD5
132f593dc40394c46dc95ad2a50a31cb

SHA1
d7e1ca9512181a8b209426370c9f78fa33e613b2

SHA256
1abea426587adb9a925f44751d9b2f0d85e99da55dc5289f1e9554301c3e760f

SHA512
40b63074b528d3c140020b24df608c1b9248e15133372f95ba2f6112704cbc3e31b8172b31e4e71e4c15bb45caf09c5ad0fbabeac708cf606288de8d13c53199

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6604.exe
Filesize
854KB

MD5
132f593dc40394c46dc95ad2a50a31cb

SHA1
d7e1ca9512181a8b209426370c9f78fa33e613b2

SHA256
1abea426587adb9a925f44751d9b2f0d85e99da55dc5289f1e9554301c3e760f

SHA512
40b63074b528d3c140020b24df608c1b9248e15133372f95ba2f6112704cbc3e31b8172b31e4e71e4c15bb45caf09c5ad0fbabeac708cf606288de8d13c53199

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdRJd08.exe
Filesize
175KB

MD5
cbdc4c5cfece1cd781a382ea5659cab6

SHA1
aa84e3116b295ba85d0c725400764ca3b17a463c

SHA256
ba16433a504aa6a3a15ad0e877b68be5d2b663e58f5aa8ba05825918e9f6c05f

SHA512
2aa96f316e80467e44f634a2d3c5ad16becb640fafc5ee2f64f6d445b96a907099585d2bf351a3cdf802fe8480ddd0d8641260154425367b92b6aeca07d65485

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdRJd08.exe
Filesize
175KB

MD5
cbdc4c5cfece1cd781a382ea5659cab6

SHA1
aa84e3116b295ba85d0c725400764ca3b17a463c

SHA256
ba16433a504aa6a3a15ad0e877b68be5d2b663e58f5aa8ba05825918e9f6c05f

SHA512
2aa96f316e80467e44f634a2d3c5ad16becb640fafc5ee2f64f6d445b96a907099585d2bf351a3cdf802fe8480ddd0d8641260154425367b92b6aeca07d65485

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9284.exe
Filesize
712KB

MD5
9bc14cfc67bed6fbd0b6f1a8dffb2741

SHA1
518ca0f4afc149b5ecb75235a0e2ae55feba263d

SHA256
9eb25fc3892ef50bd70d9f550300c2236c4b604b1b17c4824f7244803faace90

SHA512
1b1608769c1f7c77e6aab5ad783287019ee45b0edf47f575c53ad8275ca5fdd783dc804014cd442188d8b24172dd6b27569c4c2f2cd902f0ec1131881a18869c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9284.exe
Filesize
712KB

MD5
9bc14cfc67bed6fbd0b6f1a8dffb2741

SHA1
518ca0f4afc149b5ecb75235a0e2ae55feba263d

SHA256
9eb25fc3892ef50bd70d9f550300c2236c4b604b1b17c4824f7244803faace90

SHA512
1b1608769c1f7c77e6aab5ad783287019ee45b0edf47f575c53ad8275ca5fdd783dc804014cd442188d8b24172dd6b27569c4c2f2cd902f0ec1131881a18869c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w16Ju02.exe
Filesize
383KB

MD5
08739588e6db37634b5a421ff0aedfca

SHA1
0b7783acf0ce0c32bc44097320b98cb822563fab

SHA256
be8e9b0bc5f627dbb63d10138253d04cccfbe57d3c279030a019d1d7638e897d

SHA512
06ff973d63c3fac9546b8ad265a7969b898c5345898bbf0dc4e5dccc2fe79f8453b2e548883738483c4c3e1a79f0ace40bff1bcfd500355d2e27e41860e3ee5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w16Ju02.exe
Filesize
383KB

MD5
08739588e6db37634b5a421ff0aedfca

SHA1
0b7783acf0ce0c32bc44097320b98cb822563fab

SHA256
be8e9b0bc5f627dbb63d10138253d04cccfbe57d3c279030a019d1d7638e897d

SHA512
06ff973d63c3fac9546b8ad265a7969b898c5345898bbf0dc4e5dccc2fe79f8453b2e548883738483c4c3e1a79f0ace40bff1bcfd500355d2e27e41860e3ee5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3468.exe
Filesize
352KB

MD5
61b82cbd9ecb14cc47ae3a010456a0cb

SHA1
772d7da7a136469edba2d8f59cdda002b0a8201c

SHA256
d9bad9a621233ec74122e6ad6ec9c1b3524c727ec25e9e6af25a4708c9cb94a0

SHA512
c290e5228d4257860d399926766113aeb66f9ab5b60ee9dd49073ebdfa6746b1088c1028d74a33114aae34b90f82ef3fac670e0c9d43695daa9424f2a32216bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3468.exe
Filesize
352KB

MD5
61b82cbd9ecb14cc47ae3a010456a0cb

SHA1
772d7da7a136469edba2d8f59cdda002b0a8201c

SHA256
d9bad9a621233ec74122e6ad6ec9c1b3524c727ec25e9e6af25a4708c9cb94a0

SHA512
c290e5228d4257860d399926766113aeb66f9ab5b60ee9dd49073ebdfa6746b1088c1028d74a33114aae34b90f82ef3fac670e0c9d43695daa9424f2a32216bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5538.exe
Filesize
11KB

MD5
84e0d5f7f225a60c1bfa614b4fd14bab

SHA1
2ceaa3f0d33e3eec0d4ed6e3924215e814098733

SHA256
edf3bc0fe7ca86b560de85dbff70a90f7e3c343c6f3f00a9fa31d4a939262983

SHA512
0cd05b6a7cce98529f6bee8488e029f6d93596ff1e2663377d40c15993cb353348737ac9b9aa6693e6837bd632c9751c7bf1cd7a99abf40980b34dad75cdfa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz5538.exe
Filesize
11KB

MD5
84e0d5f7f225a60c1bfa614b4fd14bab

SHA1
2ceaa3f0d33e3eec0d4ed6e3924215e814098733

SHA256
edf3bc0fe7ca86b560de85dbff70a90f7e3c343c6f3f00a9fa31d4a939262983

SHA512
0cd05b6a7cce98529f6bee8488e029f6d93596ff1e2663377d40c15993cb353348737ac9b9aa6693e6837bd632c9751c7bf1cd7a99abf40980b34dad75cdfa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3996Kd.exe
Filesize
325KB

MD5
a75073fd25f9c281bb4c8025dc78127f

SHA1
789942735f9f6a2a3bd229be67a9ab4a7d561b0d

SHA256
8a3f925ab7ea61ad187aa13a91b1a0f7095182343db95544a900fe13ae30df1d

SHA512
8b8010b1b62041c27e9a55611b52a3d51018331c237617d5c8d4f5fa03694c60224f03233932f8644d1b0ed438b00d929310b477a86941980e06b73816acf0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3996Kd.exe
Filesize
325KB

MD5
a75073fd25f9c281bb4c8025dc78127f

SHA1
789942735f9f6a2a3bd229be67a9ab4a7d561b0d

SHA256
8a3f925ab7ea61ad187aa13a91b1a0f7095182343db95544a900fe13ae30df1d

SHA512
8b8010b1b62041c27e9a55611b52a3d51018331c237617d5c8d4f5fa03694c60224f03233932f8644d1b0ed438b00d929310b477a86941980e06b73816acf0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1048c110084d14f19f0f6342e7fe724b

SHA1
1b5f3bb53cd146562159528c38dcda30c153c57d

SHA256
f8d97766d7520fae9e0e6ba62fa105bfc179224b75e22056c1f7e3893a1979b2

SHA512
a4c0e1b78b7e7c574a50650bb185b8366322b040c6b5ac127b838ea189aecc6710e58a31a5a2808ad2e9f3f0e57cfa9646f8bc1cbb474e9c76d2028fabf64b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1048c110084d14f19f0f6342e7fe724b

SHA1
1b5f3bb53cd146562159528c38dcda30c153c57d

SHA256
f8d97766d7520fae9e0e6ba62fa105bfc179224b75e22056c1f7e3893a1979b2

SHA512
a4c0e1b78b7e7c574a50650bb185b8366322b040c6b5ac127b838ea189aecc6710e58a31a5a2808ad2e9f3f0e57cfa9646f8bc1cbb474e9c76d2028fabf64b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1048c110084d14f19f0f6342e7fe724b

SHA1
1b5f3bb53cd146562159528c38dcda30c153c57d

SHA256
f8d97766d7520fae9e0e6ba62fa105bfc179224b75e22056c1f7e3893a1979b2

SHA512
a4c0e1b78b7e7c574a50650bb185b8366322b040c6b5ac127b838ea189aecc6710e58a31a5a2808ad2e9f3f0e57cfa9646f8bc1cbb474e9c76d2028fabf64b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1048c110084d14f19f0f6342e7fe724b

SHA1
1b5f3bb53cd146562159528c38dcda30c153c57d

SHA256
f8d97766d7520fae9e0e6ba62fa105bfc179224b75e22056c1f7e3893a1979b2

SHA512
a4c0e1b78b7e7c574a50650bb185b8366322b040c6b5ac127b838ea189aecc6710e58a31a5a2808ad2e9f3f0e57cfa9646f8bc1cbb474e9c76d2028fabf64b7e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/552-1127-0x0000000008A90000-0x0000000008B22000-memory.dmp

Filesize
584KB

Download
memory/552-241-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-1135-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/552-1134-0x0000000009540000-0x0000000009590000-memory.dmp

Filesize
320KB

Download
memory/552-1133-0x00000000094A0000-0x0000000009516000-memory.dmp

Filesize
472KB

Download
memory/552-1132-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/552-1131-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/552-1130-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/552-1129-0x0000000008E50000-0x000000000937C000-memory.dmp

Filesize
5.2MB

Download
memory/552-1128-0x0000000008C80000-0x0000000008E42000-memory.dmp

Filesize
1.8MB

Download
memory/552-1126-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/552-1124-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/552-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/552-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/552-210-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-211-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-213-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-215-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-217-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-219-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-221-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-223-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-225-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-227-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-229-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-231-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-233-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-234-0x0000000002C80000-0x0000000002CCB000-memory.dmp

Filesize
300KB

Download
memory/552-237-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-238-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/552-236-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/552-240-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/552-243-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-1121-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/552-245-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-247-0x0000000007150000-0x000000000718F000-memory.dmp

Filesize
252KB

Download
memory/552-1120-0x0000000007980000-0x0000000007F98000-memory.dmp

Filesize
6.1MB

Download
memory/1120-184-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-168-0x00000000072B0000-0x0000000007854000-memory.dmp

Filesize
5.6MB

Download
memory/1120-190-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1120-202-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1120-186-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-203-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1120-201-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1120-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1120-199-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1120-198-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1120-197-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1120-196-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-188-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-180-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-182-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/1120-194-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-192-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-178-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-176-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-174-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-172-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-170-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/1120-169-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/2060-161-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/3492-1142-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/3492-1141-0x00000000000E0000-0x0000000000112000-memory.dmp

Filesize
200KB

Download