amadey | 23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081

Analysis

max time kernel
144s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe
Size

1.0MB
MD5

d6199cf824a6580fe3b017ead5d3ba81
SHA1

7c4f2884b4b1809b17b6eca9e9786ba002f320b9
SHA256

23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081
SHA512

1e5cfa6b56afbe1c36830a401cd4b3c278f3b84fbe310aa65a0abe96043c66e995725ca22ec71b656c6fb8771c3754d298b3cb28a18d539c944c88de8531c6d4
SSDEEP

24576:PyoEXDh3FurT+91Xb6a6NuXIBa7eluguK/G0PFIyU8Zt:adJFY2Zb6a6NuXL7eluzKpP+BO

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz7710.exev5430DK.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7710.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v5430DK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5430DK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5430DK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5430DK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5430DK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5430DK.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4772-209-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-210-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-212-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-214-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-216-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-218-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-220-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-222-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-224-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-226-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-228-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-230-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-237-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-240-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-242-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-232-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-244-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-246-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/4772-1128-0x0000000007190000-0x00000000071A0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y96OD94.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	y96OD94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap6338.exezap2348.exezap7460.exetz7710.exev5430DK.exew87vW25.exexLDRJ95.exey96OD94.exelegenda.exelegenda.exelegenda.exe

pid	process
4876	zap6338.exe
3944	zap2348.exe
4288	zap7460.exe
4776	tz7710.exe
4000	v5430DK.exe
4772	w87vW25.exe
4120	xLDRJ95.exe
1164	y96OD94.exe
1820	legenda.exe
1276	legenda.exe
4572	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1740 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1740	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7710.exev5430DK.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7710.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5430DK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5430DK.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap2348.exezap7460.exe23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exezap6338.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2348.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7460.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6338.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6338.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2348.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4496 4000 WerFault.exe v5430DK.exe
892 4772 WerFault.exe w87vW25.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4404 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz7710.exev5430DK.exew87vW25.exexLDRJ95.exe

pid process

4776 tz7710.exe
4776 tz7710.exe
4000 v5430DK.exe
4000 v5430DK.exe
4772 w87vW25.exe
4772 w87vW25.exe
4120 xLDRJ95.exe
4120 xLDRJ95.exe

pid	pid_target	process	target process
4496	4000	WerFault.exe	v5430DK.exe
892	4772	WerFault.exe	w87vW25.exe

pid	process
4404	schtasks.exe

pid	process
4776	tz7710.exe
4776	tz7710.exe
4000	v5430DK.exe
4000	v5430DK.exe
4772	w87vW25.exe
4772	w87vW25.exe
4120	xLDRJ95.exe
4120	xLDRJ95.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz7710.exev5430DK.exew87vW25.exexLDRJ95.exe

description	pid	process
Token: SeDebugPrivilege	4776	tz7710.exe
Token: SeDebugPrivilege	4000	v5430DK.exe
Token: SeDebugPrivilege	4772	w87vW25.exe
Token: SeDebugPrivilege	4120	xLDRJ95.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exezap6338.exezap2348.exezap7460.exey96OD94.exelegenda.execmd.exe

description	pid	process	target process
PID 2616 wrote to memory of 4876	2616	23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe	zap6338.exe
PID 2616 wrote to memory of 4876	2616	23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe	zap6338.exe
PID 2616 wrote to memory of 4876	2616	23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe	zap6338.exe
PID 4876 wrote to memory of 3944	4876	zap6338.exe	zap2348.exe
PID 4876 wrote to memory of 3944	4876	zap6338.exe	zap2348.exe
PID 4876 wrote to memory of 3944	4876	zap6338.exe	zap2348.exe
PID 3944 wrote to memory of 4288	3944	zap2348.exe	zap7460.exe
PID 3944 wrote to memory of 4288	3944	zap2348.exe	zap7460.exe
PID 3944 wrote to memory of 4288	3944	zap2348.exe	zap7460.exe
PID 4288 wrote to memory of 4776	4288	zap7460.exe	tz7710.exe
PID 4288 wrote to memory of 4776	4288	zap7460.exe	tz7710.exe
PID 4288 wrote to memory of 4000	4288	zap7460.exe	v5430DK.exe
PID 4288 wrote to memory of 4000	4288	zap7460.exe	v5430DK.exe
PID 4288 wrote to memory of 4000	4288	zap7460.exe	v5430DK.exe
PID 3944 wrote to memory of 4772	3944	zap2348.exe	w87vW25.exe
PID 3944 wrote to memory of 4772	3944	zap2348.exe	w87vW25.exe
PID 3944 wrote to memory of 4772	3944	zap2348.exe	w87vW25.exe
PID 4876 wrote to memory of 4120	4876	zap6338.exe	xLDRJ95.exe
PID 4876 wrote to memory of 4120	4876	zap6338.exe	xLDRJ95.exe
PID 4876 wrote to memory of 4120	4876	zap6338.exe	xLDRJ95.exe
PID 2616 wrote to memory of 1164	2616	23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe	y96OD94.exe
PID 2616 wrote to memory of 1164	2616	23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe	y96OD94.exe
PID 2616 wrote to memory of 1164	2616	23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe	y96OD94.exe
PID 1164 wrote to memory of 1820	1164	y96OD94.exe	legenda.exe
PID 1164 wrote to memory of 1820	1164	y96OD94.exe	legenda.exe
PID 1164 wrote to memory of 1820	1164	y96OD94.exe	legenda.exe
PID 1820 wrote to memory of 4404	1820	legenda.exe	schtasks.exe
PID 1820 wrote to memory of 4404	1820	legenda.exe	schtasks.exe
PID 1820 wrote to memory of 4404	1820	legenda.exe	schtasks.exe
PID 1820 wrote to memory of 1888	1820	legenda.exe	cmd.exe
PID 1820 wrote to memory of 1888	1820	legenda.exe	cmd.exe
PID 1820 wrote to memory of 1888	1820	legenda.exe	cmd.exe
PID 1888 wrote to memory of 948	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 948	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 948	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 3948	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 3948	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 3948	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 4480	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 4480	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 4480	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 4640	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 4640	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 4640	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 696	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 696	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 696	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 4460	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 4460	1888	cmd.exe	cacls.exe
PID 1888 wrote to memory of 4460	1888	cmd.exe	cacls.exe
PID 1820 wrote to memory of 1740	1820	legenda.exe	rundll32.exe
PID 1820 wrote to memory of 1740	1820	legenda.exe	rundll32.exe
PID 1820 wrote to memory of 1740	1820	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe
"C:\Users\Admin\AppData\Local\Temp\23687ae7a68428b9b6ec125804d57c2e092d55af4399219ffa1f7630a9593081.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6338.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6338.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2348.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2348.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7460.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7460.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7710.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7710.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5430DK.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5430DK.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1088
6⤵
- Program crash
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w87vW25.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w87vW25.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1348
5⤵
- Program crash
PID:892

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLDRJ95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLDRJ95.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y96OD94.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y96OD94.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:948

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3948

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4640

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:696

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4000 -ip 4000
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4772 -ip 4772
1⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y96OD94.exe
Filesize
235KB

MD5
33cfc60063c9ac74468d7b049ebda760

SHA1
a4b99f97131380f2313f733f87608ff460f3b7ab

SHA256
fd39438f12d35d00dcdf54371bafeb8739315282c628f4ea80c8484d848ab008

SHA512
91a5ea8d48f29bb8e8bec49e162a2e9583e0b5805c6991b57ab8ffec9838417f18380c3a7f7da63095331399eb71354f6ee7b2a388e94cf0a32a623681e76405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y96OD94.exe
Filesize
235KB

MD5
33cfc60063c9ac74468d7b049ebda760

SHA1
a4b99f97131380f2313f733f87608ff460f3b7ab

SHA256
fd39438f12d35d00dcdf54371bafeb8739315282c628f4ea80c8484d848ab008

SHA512
91a5ea8d48f29bb8e8bec49e162a2e9583e0b5805c6991b57ab8ffec9838417f18380c3a7f7da63095331399eb71354f6ee7b2a388e94cf0a32a623681e76405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6338.exe
Filesize
854KB

MD5
a84c414250be87347b39ab1c460dd5b8

SHA1
c6a6fbc48a9691fefffb572808ad994b44f87eb8

SHA256
569e70ce58a9eb7faee0cdd899a952ee04822c75816a20933e51ad86d082f345

SHA512
ab1ee86d6ef35d7ce942d498510e446b941b32cf25b19ed17803448796afcab59c9632067015aa784f84ad24f692ad180533ab16c9ecf0757ef4603ab640752f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6338.exe
Filesize
854KB

MD5
a84c414250be87347b39ab1c460dd5b8

SHA1
c6a6fbc48a9691fefffb572808ad994b44f87eb8

SHA256
569e70ce58a9eb7faee0cdd899a952ee04822c75816a20933e51ad86d082f345

SHA512
ab1ee86d6ef35d7ce942d498510e446b941b32cf25b19ed17803448796afcab59c9632067015aa784f84ad24f692ad180533ab16c9ecf0757ef4603ab640752f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLDRJ95.exe
Filesize
175KB

MD5
a4d1a62d4f8eb643ecda6f52d8493a13

SHA1
0c3d034987e10196a294f2a3115f6500c1646080

SHA256
60ea10956cbb1cf194134fb39f87206d06598fa03957d3896a76f35f439e7417

SHA512
316ef6488fec5be29659a89666f95365a9570e18b329f5b5970f6e9182bf5da77c4aaa3651ef253e9dd2df4357ffe7dbdac4038c71cde159c2099a149060fd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xLDRJ95.exe
Filesize
175KB

MD5
a4d1a62d4f8eb643ecda6f52d8493a13

SHA1
0c3d034987e10196a294f2a3115f6500c1646080

SHA256
60ea10956cbb1cf194134fb39f87206d06598fa03957d3896a76f35f439e7417

SHA512
316ef6488fec5be29659a89666f95365a9570e18b329f5b5970f6e9182bf5da77c4aaa3651ef253e9dd2df4357ffe7dbdac4038c71cde159c2099a149060fd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2348.exe
Filesize
712KB

MD5
cdfbf35d17439a2301796d013e64f658

SHA1
97509fbb942e7998c1b9b4845dd33ce4f27cbbed

SHA256
ad126a45cb73345bef9c17ecaa8f84d226ea797a47c6f07a38bc6de50db2df13

SHA512
1c28753ca12f9067acf4eec2e5e8aa238e73d899712c25611c64bcf84cd7c26052a75ed465b71b82201b56130556adaacfcfd11b86c53b7f9116fb8e68011965

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2348.exe
Filesize
712KB

MD5
cdfbf35d17439a2301796d013e64f658

SHA1
97509fbb942e7998c1b9b4845dd33ce4f27cbbed

SHA256
ad126a45cb73345bef9c17ecaa8f84d226ea797a47c6f07a38bc6de50db2df13

SHA512
1c28753ca12f9067acf4eec2e5e8aa238e73d899712c25611c64bcf84cd7c26052a75ed465b71b82201b56130556adaacfcfd11b86c53b7f9116fb8e68011965

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w87vW25.exe
Filesize
383KB

MD5
87f6f91520747774b0a8e6ce574f702d

SHA1
75cba4fd51b25b20f8ae5cc7fb054d5d2a85c344

SHA256
5f00a0f399e1022b79d7fe650d9efc8ab7254ff9c8c2508c45661691b578892b

SHA512
c15b5598e30fdc87ff4721fc0e87d241a991c09f8e326c6429ef5b5418d201ca919175622cc4a663e364cd92382b91b444b4c6404234e5f2a012d836506dd361

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w87vW25.exe
Filesize
383KB

MD5
87f6f91520747774b0a8e6ce574f702d

SHA1
75cba4fd51b25b20f8ae5cc7fb054d5d2a85c344

SHA256
5f00a0f399e1022b79d7fe650d9efc8ab7254ff9c8c2508c45661691b578892b

SHA512
c15b5598e30fdc87ff4721fc0e87d241a991c09f8e326c6429ef5b5418d201ca919175622cc4a663e364cd92382b91b444b4c6404234e5f2a012d836506dd361

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7460.exe
Filesize
352KB

MD5
8b38450a7df35391d1b65345f32d03b9

SHA1
15f2f5b2cf11f606fb6bec616f86858d704c9923

SHA256
8f8274d5f92c12944084ab83f53b6f73699ba63fe7cf552479f34e0acc66d948

SHA512
30eefebf7ef1e84d03c9c193080a63897cd8ce8ee2714dd03ad3874d2f1d76d9668a81ecbe36b2057a03bf8572eb72c56b8dc455e76dac5b8a6def951b86ba7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7460.exe
Filesize
352KB

MD5
8b38450a7df35391d1b65345f32d03b9

SHA1
15f2f5b2cf11f606fb6bec616f86858d704c9923

SHA256
8f8274d5f92c12944084ab83f53b6f73699ba63fe7cf552479f34e0acc66d948

SHA512
30eefebf7ef1e84d03c9c193080a63897cd8ce8ee2714dd03ad3874d2f1d76d9668a81ecbe36b2057a03bf8572eb72c56b8dc455e76dac5b8a6def951b86ba7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7710.exe
Filesize
11KB

MD5
c5ccadb2b1db9dacd0436457b9b41362

SHA1
b092a08a44544dac3e46f4043c23869dd44af5eb

SHA256
2c82a901bf49b51cad4788ae28fc2b052d195300b36fe5b4f85eadd2da8c298e

SHA512
476f4de3ca4102f0884d7848586c41a54e0cba5dde62bf60b1203c2b215990dde14793cf77b7a38c491c4f6f2b978efb37c3300d728ca7a9ca8e59524c351bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7710.exe
Filesize
11KB

MD5
c5ccadb2b1db9dacd0436457b9b41362

SHA1
b092a08a44544dac3e46f4043c23869dd44af5eb

SHA256
2c82a901bf49b51cad4788ae28fc2b052d195300b36fe5b4f85eadd2da8c298e

SHA512
476f4de3ca4102f0884d7848586c41a54e0cba5dde62bf60b1203c2b215990dde14793cf77b7a38c491c4f6f2b978efb37c3300d728ca7a9ca8e59524c351bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5430DK.exe
Filesize
325KB

MD5
a92ea2c5250b2bd683159112f08223cc

SHA1
12e498ef7414f4da360a3a2db2fec05a4bc3f624

SHA256
650a0d620515bbc84e371bf3194a53235436a1ebd28aa303ccc70e7a7a794887

SHA512
20c5614ded6259b60e470e93ebe30c09623a0a3619dae652117f88df6d67719873f63e1a5ec456d08b06d86921c707eb3217d089c52b04548ec1d490a29ac093

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5430DK.exe
Filesize
325KB

MD5
a92ea2c5250b2bd683159112f08223cc

SHA1
12e498ef7414f4da360a3a2db2fec05a4bc3f624

SHA256
650a0d620515bbc84e371bf3194a53235436a1ebd28aa303ccc70e7a7a794887

SHA512
20c5614ded6259b60e470e93ebe30c09623a0a3619dae652117f88df6d67719873f63e1a5ec456d08b06d86921c707eb3217d089c52b04548ec1d490a29ac093

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
33cfc60063c9ac74468d7b049ebda760

SHA1
a4b99f97131380f2313f733f87608ff460f3b7ab

SHA256
fd39438f12d35d00dcdf54371bafeb8739315282c628f4ea80c8484d848ab008

SHA512
91a5ea8d48f29bb8e8bec49e162a2e9583e0b5805c6991b57ab8ffec9838417f18380c3a7f7da63095331399eb71354f6ee7b2a388e94cf0a32a623681e76405

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
33cfc60063c9ac74468d7b049ebda760

SHA1
a4b99f97131380f2313f733f87608ff460f3b7ab

SHA256
fd39438f12d35d00dcdf54371bafeb8739315282c628f4ea80c8484d848ab008

SHA512
91a5ea8d48f29bb8e8bec49e162a2e9583e0b5805c6991b57ab8ffec9838417f18380c3a7f7da63095331399eb71354f6ee7b2a388e94cf0a32a623681e76405

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
33cfc60063c9ac74468d7b049ebda760

SHA1
a4b99f97131380f2313f733f87608ff460f3b7ab

SHA256
fd39438f12d35d00dcdf54371bafeb8739315282c628f4ea80c8484d848ab008

SHA512
91a5ea8d48f29bb8e8bec49e162a2e9583e0b5805c6991b57ab8ffec9838417f18380c3a7f7da63095331399eb71354f6ee7b2a388e94cf0a32a623681e76405

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
33cfc60063c9ac74468d7b049ebda760

SHA1
a4b99f97131380f2313f733f87608ff460f3b7ab

SHA256
fd39438f12d35d00dcdf54371bafeb8739315282c628f4ea80c8484d848ab008

SHA512
91a5ea8d48f29bb8e8bec49e162a2e9583e0b5805c6991b57ab8ffec9838417f18380c3a7f7da63095331399eb71354f6ee7b2a388e94cf0a32a623681e76405

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
33cfc60063c9ac74468d7b049ebda760

SHA1
a4b99f97131380f2313f733f87608ff460f3b7ab

SHA256
fd39438f12d35d00dcdf54371bafeb8739315282c628f4ea80c8484d848ab008

SHA512
91a5ea8d48f29bb8e8bec49e162a2e9583e0b5805c6991b57ab8ffec9838417f18380c3a7f7da63095331399eb71354f6ee7b2a388e94cf0a32a623681e76405

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/4000-183-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-181-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-187-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-189-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-195-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-193-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-191-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-197-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-199-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4000-201-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4000-202-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4000-204-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4000-185-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-167-0x0000000007210000-0x00000000077B4000-memory.dmp

Filesize
5.6MB

Download
memory/4000-179-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-177-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-175-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-173-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-172-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4000-171-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4000-170-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4000-169-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4000-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4120-1140-0x0000000000AF0000-0x0000000000B22000-memory.dmp

Filesize
200KB

Download
memory/4120-1141-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/4772-220-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-237-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-240-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-238-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4772-242-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-236-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4772-232-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-244-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-246-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-1119-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4772-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4772-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4772-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4772-1123-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4772-1125-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4772-1126-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4772-1127-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4772-1128-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4772-1129-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4772-1130-0x0000000008DA0000-0x0000000008E16000-memory.dmp

Filesize
472KB

Download
memory/4772-1131-0x0000000008E30000-0x0000000008E80000-memory.dmp

Filesize
320KB

Download
memory/4772-1132-0x0000000008EB0000-0x0000000009072000-memory.dmp

Filesize
1.8MB

Download
memory/4772-234-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4772-233-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/4772-230-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-228-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-226-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-224-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-222-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-218-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-216-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-214-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-212-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-210-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-209-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4772-1133-0x0000000009090000-0x00000000095BC000-memory.dmp

Filesize
5.2MB

Download
memory/4772-1135-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4776-161-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download