amadey | a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe
Size

1.0MB
MD5

eba0ae2cdf13f6ff419dbf728246a668
SHA1

13f41b94098659f40f2f733f980172790a8bbacf
SHA256

a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6
SHA512

dda1a189782ea3504cd393ec0d99f3a04f30ee2adebdbded2fe35ff5c0efdd0621330a16f213019e84ec69eb8067e1906dcdd18d391b03d7f7d5ae267eb1d666
SSDEEP

24576:jyEMeCHvCcso5dkLUXQ5+/6nSs1/PHBwFvG+XxZ:2EMNCcr5dFQvnSsJPhwFvG

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz6347.exev2937TP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz6347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v2937TP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2937TP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2937TP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2937TP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2937TP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2937TP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6347.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3756-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-214-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-216-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-220-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-222-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-226-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-228-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-224-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-230-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-232-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-234-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-236-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-238-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-242-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-240-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-244-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/3756-246-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y59cr00.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	y59cr00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 10 IoCs

Processes:

zap9242.exezap5551.exezap3955.exetz6347.exev2937TP.exew56AR70.exexHsvd50.exey59cr00.exelegenda.exelegenda.exe

pid	process
488	zap9242.exe
2596	zap5551.exe
1604	zap3955.exe
4756	tz6347.exe
3680	v2937TP.exe
3756	w56AR70.exe
4872	xHsvd50.exe
3932	y59cr00.exe
832	legenda.exe
4832	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1832 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1832	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz6347.exev2937TP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2937TP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2937TP.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap3955.exea98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exezap9242.exezap5551.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3955.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9242.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9242.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5551.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3955.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5036 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3484 3680 WerFault.exe v2937TP.exe
4416 3756 WerFault.exe w56AR70.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5104 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz6347.exev2937TP.exew56AR70.exexHsvd50.exe

pid process

4756 tz6347.exe
4756 tz6347.exe
3680 v2937TP.exe
3680 v2937TP.exe
3756 w56AR70.exe
3756 w56AR70.exe
4872 xHsvd50.exe
4872 xHsvd50.exe

pid	process
5036	sc.exe

pid	pid_target	process	target process
3484	3680	WerFault.exe	v2937TP.exe
4416	3756	WerFault.exe	w56AR70.exe

pid	process
5104	schtasks.exe

pid	process
4756	tz6347.exe
4756	tz6347.exe
3680	v2937TP.exe
3680	v2937TP.exe
3756	w56AR70.exe
3756	w56AR70.exe
4872	xHsvd50.exe
4872	xHsvd50.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz6347.exev2937TP.exew56AR70.exexHsvd50.exe

description	pid	process
Token: SeDebugPrivilege	4756	tz6347.exe
Token: SeDebugPrivilege	3680	v2937TP.exe
Token: SeDebugPrivilege	3756	w56AR70.exe
Token: SeDebugPrivilege	4872	xHsvd50.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exezap9242.exezap5551.exezap3955.exey59cr00.exelegenda.execmd.exe

description	pid	process	target process
PID 3700 wrote to memory of 488	3700	a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe	zap9242.exe
PID 3700 wrote to memory of 488	3700	a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe	zap9242.exe
PID 3700 wrote to memory of 488	3700	a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe	zap9242.exe
PID 488 wrote to memory of 2596	488	zap9242.exe	zap5551.exe
PID 488 wrote to memory of 2596	488	zap9242.exe	zap5551.exe
PID 488 wrote to memory of 2596	488	zap9242.exe	zap5551.exe
PID 2596 wrote to memory of 1604	2596	zap5551.exe	zap3955.exe
PID 2596 wrote to memory of 1604	2596	zap5551.exe	zap3955.exe
PID 2596 wrote to memory of 1604	2596	zap5551.exe	zap3955.exe
PID 1604 wrote to memory of 4756	1604	zap3955.exe	tz6347.exe
PID 1604 wrote to memory of 4756	1604	zap3955.exe	tz6347.exe
PID 1604 wrote to memory of 3680	1604	zap3955.exe	v2937TP.exe
PID 1604 wrote to memory of 3680	1604	zap3955.exe	v2937TP.exe
PID 1604 wrote to memory of 3680	1604	zap3955.exe	v2937TP.exe
PID 2596 wrote to memory of 3756	2596	zap5551.exe	w56AR70.exe
PID 2596 wrote to memory of 3756	2596	zap5551.exe	w56AR70.exe
PID 2596 wrote to memory of 3756	2596	zap5551.exe	w56AR70.exe
PID 488 wrote to memory of 4872	488	zap9242.exe	xHsvd50.exe
PID 488 wrote to memory of 4872	488	zap9242.exe	xHsvd50.exe
PID 488 wrote to memory of 4872	488	zap9242.exe	xHsvd50.exe
PID 3700 wrote to memory of 3932	3700	a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe	y59cr00.exe
PID 3700 wrote to memory of 3932	3700	a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe	y59cr00.exe
PID 3700 wrote to memory of 3932	3700	a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe	y59cr00.exe
PID 3932 wrote to memory of 832	3932	y59cr00.exe	legenda.exe
PID 3932 wrote to memory of 832	3932	y59cr00.exe	legenda.exe
PID 3932 wrote to memory of 832	3932	y59cr00.exe	legenda.exe
PID 832 wrote to memory of 5104	832	legenda.exe	schtasks.exe
PID 832 wrote to memory of 5104	832	legenda.exe	schtasks.exe
PID 832 wrote to memory of 5104	832	legenda.exe	schtasks.exe
PID 832 wrote to memory of 4176	832	legenda.exe	cmd.exe
PID 832 wrote to memory of 4176	832	legenda.exe	cmd.exe
PID 832 wrote to memory of 4176	832	legenda.exe	cmd.exe
PID 4176 wrote to memory of 1764	4176	cmd.exe	cmd.exe
PID 4176 wrote to memory of 1764	4176	cmd.exe	cmd.exe
PID 4176 wrote to memory of 1764	4176	cmd.exe	cmd.exe
PID 4176 wrote to memory of 3628	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 3628	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 3628	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 4116	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 4116	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 4116	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 1652	4176	cmd.exe	cmd.exe
PID 4176 wrote to memory of 1652	4176	cmd.exe	cmd.exe
PID 4176 wrote to memory of 1652	4176	cmd.exe	cmd.exe
PID 4176 wrote to memory of 3244	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 3244	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 3244	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 2820	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 2820	4176	cmd.exe	cacls.exe
PID 4176 wrote to memory of 2820	4176	cmd.exe	cacls.exe
PID 832 wrote to memory of 1832	832	legenda.exe	rundll32.exe
PID 832 wrote to memory of 1832	832	legenda.exe	rundll32.exe
PID 832 wrote to memory of 1832	832	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe
"C:\Users\Admin\AppData\Local\Temp\a98d84121f5cf58cc61fbc27221d290aae00c929d8b6c9c2ce4c0fb2f85102d6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9242.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9242.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:488

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5551.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5551.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3955.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3955.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6347.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6347.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2937TP.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2937TP.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1076
6⤵
- Program crash
PID:3484

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w56AR70.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w56AR70.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1336
5⤵
- Program crash
PID:4416

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHsvd50.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHsvd50.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59cr00.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59cr00.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:5104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1764

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:3628

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1652

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3244

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2820

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3680 -ip 3680
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3756 -ip 3756
1⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59cr00.exe
Filesize
235KB

MD5
8064c5c1d375e5595f7820b88e1f7158

SHA1
761d06f8f91b54f5f6bd32bd134aad9b81039eeb

SHA256
b48132d4cc841301d9d081cbd5e416ccfe62976979e321c8c5d2a263c3b38b67

SHA512
45fa99f1a2646b65bb31c96389b7bbba36f505a724a87eae867a79a186fccbb97ca3e24a02c50f14108105424467137ce680b47a5493fd7385bf546c7308f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59cr00.exe
Filesize
235KB

MD5
8064c5c1d375e5595f7820b88e1f7158

SHA1
761d06f8f91b54f5f6bd32bd134aad9b81039eeb

SHA256
b48132d4cc841301d9d081cbd5e416ccfe62976979e321c8c5d2a263c3b38b67

SHA512
45fa99f1a2646b65bb31c96389b7bbba36f505a724a87eae867a79a186fccbb97ca3e24a02c50f14108105424467137ce680b47a5493fd7385bf546c7308f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9242.exe
Filesize
854KB

MD5
5e0641b1cd5664f0a81838e1a6bebb25

SHA1
205025ca75c8244ea5e6ed56e28170ce20c88979

SHA256
221c1bb61e6bd58534e3dd8332848793f04b715def46adb9a341cc4f19754f2b

SHA512
9bd468c470afe2a44d09517e4d1b3a940bdfda059ece15c02987819ff33a11d8c889407291c0825e418b0123bfae1f2b001330d60d4827d0d87cfbfe7cc8e2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9242.exe
Filesize
854KB

MD5
5e0641b1cd5664f0a81838e1a6bebb25

SHA1
205025ca75c8244ea5e6ed56e28170ce20c88979

SHA256
221c1bb61e6bd58534e3dd8332848793f04b715def46adb9a341cc4f19754f2b

SHA512
9bd468c470afe2a44d09517e4d1b3a940bdfda059ece15c02987819ff33a11d8c889407291c0825e418b0123bfae1f2b001330d60d4827d0d87cfbfe7cc8e2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHsvd50.exe
Filesize
175KB

MD5
de49a6b6b170e6da2b37961f08adc909

SHA1
90390053facea4500f8a98497afc00787a2ac428

SHA256
19b7a2d36cd4381d34ab48841f35dcc4dd3f1e14493694f5bef5d9f0064e192f

SHA512
8090be03b4e18ac5d2e5f07e507aa0c48c2e70b835b90e4f59d85102949af649c153315770ba2998fbc478951c893ff7426eca80f9615293e946711865742350

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHsvd50.exe
Filesize
175KB

MD5
de49a6b6b170e6da2b37961f08adc909

SHA1
90390053facea4500f8a98497afc00787a2ac428

SHA256
19b7a2d36cd4381d34ab48841f35dcc4dd3f1e14493694f5bef5d9f0064e192f

SHA512
8090be03b4e18ac5d2e5f07e507aa0c48c2e70b835b90e4f59d85102949af649c153315770ba2998fbc478951c893ff7426eca80f9615293e946711865742350

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5551.exe
Filesize
711KB

MD5
e6c7a28f4f1f7b30eea52d09b5a8e8e9

SHA1
91ae6e3522edc020f4c90b2eaace8c70b71d39a8

SHA256
4f4c97230eeef8ff6ad3a1b86e10b0d4e4f153227be1247c7de0ba3d4c306e57

SHA512
254471c9b63b003840624b95e93db68036dac40c1f1df7d2ebec76856c9403e2c5315de5d9b8f661e675f8a817329971b1a3ae13d91862661cd91bce4286e849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5551.exe
Filesize
711KB

MD5
e6c7a28f4f1f7b30eea52d09b5a8e8e9

SHA1
91ae6e3522edc020f4c90b2eaace8c70b71d39a8

SHA256
4f4c97230eeef8ff6ad3a1b86e10b0d4e4f153227be1247c7de0ba3d4c306e57

SHA512
254471c9b63b003840624b95e93db68036dac40c1f1df7d2ebec76856c9403e2c5315de5d9b8f661e675f8a817329971b1a3ae13d91862661cd91bce4286e849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w56AR70.exe
Filesize
383KB

MD5
44e96af8b793f7a2de00644920c832ac

SHA1
26a6d4b6fcd7ecd095edb48b47aa9ee178830969

SHA256
b30d38413810a8c8c7524fb699d4559ef94a74c337107e823ead4231c7c456e1

SHA512
c4bf8c088b0cb4d93945f6d8b0005207ca26ef7b4c13e6a5b24ee7c96d8e8a9f6303022d09edb13c7b756a7ebc4963d75223e43e93968a81d4cdc731e2b23204

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w56AR70.exe
Filesize
383KB

MD5
44e96af8b793f7a2de00644920c832ac

SHA1
26a6d4b6fcd7ecd095edb48b47aa9ee178830969

SHA256
b30d38413810a8c8c7524fb699d4559ef94a74c337107e823ead4231c7c456e1

SHA512
c4bf8c088b0cb4d93945f6d8b0005207ca26ef7b4c13e6a5b24ee7c96d8e8a9f6303022d09edb13c7b756a7ebc4963d75223e43e93968a81d4cdc731e2b23204

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3955.exe
Filesize
352KB

MD5
81a43971d426c5419799e07130774f16

SHA1
6d5e2ecc03ef0bfc82afa7cfec306ac4b65e5155

SHA256
d0af46b0844d86715b259f9f48ca9662614ffaf631e2a480219c39724cb912d0

SHA512
6bd893596b9ff93c07a02b9a55a368bb776b6f3ad80791b0870b3aa899db1011a5b6bc7420b7f64781b51c9441865b79b58d8d467818cdd8cfd4b3ddbc899a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3955.exe
Filesize
352KB

MD5
81a43971d426c5419799e07130774f16

SHA1
6d5e2ecc03ef0bfc82afa7cfec306ac4b65e5155

SHA256
d0af46b0844d86715b259f9f48ca9662614ffaf631e2a480219c39724cb912d0

SHA512
6bd893596b9ff93c07a02b9a55a368bb776b6f3ad80791b0870b3aa899db1011a5b6bc7420b7f64781b51c9441865b79b58d8d467818cdd8cfd4b3ddbc899a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6347.exe
Filesize
11KB

MD5
1c7f92cfc91b63f7be2cf2d01a14c52f

SHA1
ba59d1fba9d1750c3700cdf40193457511ea5695

SHA256
394d9cda3c0b51ae273827590292b9ade56004fe06f395c6a293e632d9c1ef69

SHA512
3151affdb3ff802a1da404bfb8e08667bfa5bdf13a5136a3c8876267270fb5704ef0d4d75a7a7ef44dbabef40268378d75a851524029db156894bd287ee94621

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6347.exe
Filesize
11KB

MD5
1c7f92cfc91b63f7be2cf2d01a14c52f

SHA1
ba59d1fba9d1750c3700cdf40193457511ea5695

SHA256
394d9cda3c0b51ae273827590292b9ade56004fe06f395c6a293e632d9c1ef69

SHA512
3151affdb3ff802a1da404bfb8e08667bfa5bdf13a5136a3c8876267270fb5704ef0d4d75a7a7ef44dbabef40268378d75a851524029db156894bd287ee94621

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2937TP.exe
Filesize
325KB

MD5
6401e74f4f5d150c6156958362003285

SHA1
d684ce12d616a34e2166efca61484905026a8684

SHA256
0935c901613e533953be86e738fc62f0393d52046c62159669bde35667dc8b5d

SHA512
6ff2fa0702a4ac165347261481a09e5bcc66b9b55167a52ec7850a256afef894e8e28b1cb0bbd3290c9ed54ede772b2a2cb3519e40ec4f6af4c9794c7cbfef13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2937TP.exe
Filesize
325KB

MD5
6401e74f4f5d150c6156958362003285

SHA1
d684ce12d616a34e2166efca61484905026a8684

SHA256
0935c901613e533953be86e738fc62f0393d52046c62159669bde35667dc8b5d

SHA512
6ff2fa0702a4ac165347261481a09e5bcc66b9b55167a52ec7850a256afef894e8e28b1cb0bbd3290c9ed54ede772b2a2cb3519e40ec4f6af4c9794c7cbfef13

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
8064c5c1d375e5595f7820b88e1f7158

SHA1
761d06f8f91b54f5f6bd32bd134aad9b81039eeb

SHA256
b48132d4cc841301d9d081cbd5e416ccfe62976979e321c8c5d2a263c3b38b67

SHA512
45fa99f1a2646b65bb31c96389b7bbba36f505a724a87eae867a79a186fccbb97ca3e24a02c50f14108105424467137ce680b47a5493fd7385bf546c7308f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
8064c5c1d375e5595f7820b88e1f7158

SHA1
761d06f8f91b54f5f6bd32bd134aad9b81039eeb

SHA256
b48132d4cc841301d9d081cbd5e416ccfe62976979e321c8c5d2a263c3b38b67

SHA512
45fa99f1a2646b65bb31c96389b7bbba36f505a724a87eae867a79a186fccbb97ca3e24a02c50f14108105424467137ce680b47a5493fd7385bf546c7308f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
8064c5c1d375e5595f7820b88e1f7158

SHA1
761d06f8f91b54f5f6bd32bd134aad9b81039eeb

SHA256
b48132d4cc841301d9d081cbd5e416ccfe62976979e321c8c5d2a263c3b38b67

SHA512
45fa99f1a2646b65bb31c96389b7bbba36f505a724a87eae867a79a186fccbb97ca3e24a02c50f14108105424467137ce680b47a5493fd7385bf546c7308f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
8064c5c1d375e5595f7820b88e1f7158

SHA1
761d06f8f91b54f5f6bd32bd134aad9b81039eeb

SHA256
b48132d4cc841301d9d081cbd5e416ccfe62976979e321c8c5d2a263c3b38b67

SHA512
45fa99f1a2646b65bb31c96389b7bbba36f505a724a87eae867a79a186fccbb97ca3e24a02c50f14108105424467137ce680b47a5493fd7385bf546c7308f173

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/3680-182-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-184-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-186-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-188-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-190-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-194-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-192-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-196-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-198-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-199-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3680-200-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3680-202-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3680-201-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3680-204-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3680-180-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-178-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-176-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-174-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-172-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-171-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/3680-169-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3680-170-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/3680-168-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/3680-167-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/3756-216-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-1127-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3756-224-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-230-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-232-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-234-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-236-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-238-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-242-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-240-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-244-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-246-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-1119-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/3756-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3756-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3756-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3756-1123-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3756-1125-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/3756-1126-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/3756-228-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-1128-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3756-1129-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3756-1130-0x0000000008DC0000-0x0000000008E36000-memory.dmp

Filesize
472KB

Download
memory/3756-1131-0x0000000008E50000-0x0000000008EA0000-memory.dmp

Filesize
320KB

Download
memory/3756-1132-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3756-1133-0x0000000008EE0000-0x00000000090A2000-memory.dmp

Filesize
1.8MB

Download
memory/3756-1134-0x00000000090B0000-0x00000000095DC000-memory.dmp

Filesize
5.2MB

Download
memory/3756-209-0x0000000002C30000-0x0000000002C7B000-memory.dmp

Filesize
300KB

Download
memory/3756-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-210-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3756-226-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-222-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-220-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3756-211-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3756-213-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3756-214-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/4756-161-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/4872-1141-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4872-1140-0x00000000004B0000-0x00000000004E2000-memory.dmp

Filesize
200KB

Download