amadey | 6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84

Analysis

max time kernel
124s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe
Size

1.0MB
MD5

0d8e3e4a21e50897b89f2e2417130879
SHA1

a8959f0ac6e003a8032edc0a007849324be46a62
SHA256

6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84
SHA512

ec08376e7b7c30a5f74793087858c06ab1d0c8d3843bf5f392e92d8ffb678b37db4f51159c52e7834d1a688996c3b5a01691716a1725e6a86876e1400736806f
SSDEEP

24576:9yZUhy1Zcnrn92sFwJCUwUCl4JpnolfFh8gM9bOplJ+hF:YZ/6nBtiuUQIolfnzM9iDJI

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v2379Rj.exetz2744.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v2379Rj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2379Rj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2379Rj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2379Rj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2379Rj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2379Rj.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5096-214-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-213-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-217-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-221-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-219-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-223-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-225-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-227-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-229-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-231-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-233-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-235-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-237-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-239-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-241-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-243-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-245-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline
behavioral1/memory/5096-247-0x0000000004C60000-0x0000000004C9F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y54VC03.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y54VC03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap1468.exezap7095.exezap7349.exetz2744.exev2379Rj.exew48TJ59.exextGXA77.exey54VC03.exelegenda.exelegenda.exelegenda.exe

pid	process
2436	zap1468.exe
3844	zap7095.exe
3456	zap7349.exe
2208	tz2744.exe
4264	v2379Rj.exe
5096	w48TJ59.exe
3000	xtGXA77.exe
4788	y54VC03.exe
3412	legenda.exe
4456	legenda.exe
4780	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1196 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1196	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2744.exev2379Rj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2744.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2379Rj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2379Rj.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1468.exezap7095.exezap7349.exe6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1468.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7095.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7349.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap7349.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1468.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1664 4264 WerFault.exe v2379Rj.exe
2792 5096 WerFault.exe w48TJ59.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4824 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2744.exev2379Rj.exew48TJ59.exextGXA77.exe

pid process

2208 tz2744.exe
2208 tz2744.exe
4264 v2379Rj.exe
4264 v2379Rj.exe
5096 w48TJ59.exe
5096 w48TJ59.exe
3000 xtGXA77.exe
3000 xtGXA77.exe

pid	pid_target	process	target process
1664	4264	WerFault.exe	v2379Rj.exe
2792	5096	WerFault.exe	w48TJ59.exe

pid	process
4824	schtasks.exe

pid	process
2208	tz2744.exe
2208	tz2744.exe
4264	v2379Rj.exe
4264	v2379Rj.exe
5096	w48TJ59.exe
5096	w48TJ59.exe
3000	xtGXA77.exe
3000	xtGXA77.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2744.exev2379Rj.exew48TJ59.exextGXA77.exe

description	pid	process
Token: SeDebugPrivilege	2208	tz2744.exe
Token: SeDebugPrivilege	4264	v2379Rj.exe
Token: SeDebugPrivilege	5096	w48TJ59.exe
Token: SeDebugPrivilege	3000	xtGXA77.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exezap1468.exezap7095.exezap7349.exey54VC03.exelegenda.execmd.exe

description	pid	process	target process
PID 1248 wrote to memory of 2436	1248	6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe	zap1468.exe
PID 1248 wrote to memory of 2436	1248	6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe	zap1468.exe
PID 1248 wrote to memory of 2436	1248	6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe	zap1468.exe
PID 2436 wrote to memory of 3844	2436	zap1468.exe	zap7095.exe
PID 2436 wrote to memory of 3844	2436	zap1468.exe	zap7095.exe
PID 2436 wrote to memory of 3844	2436	zap1468.exe	zap7095.exe
PID 3844 wrote to memory of 3456	3844	zap7095.exe	zap7349.exe
PID 3844 wrote to memory of 3456	3844	zap7095.exe	zap7349.exe
PID 3844 wrote to memory of 3456	3844	zap7095.exe	zap7349.exe
PID 3456 wrote to memory of 2208	3456	zap7349.exe	tz2744.exe
PID 3456 wrote to memory of 2208	3456	zap7349.exe	tz2744.exe
PID 3456 wrote to memory of 4264	3456	zap7349.exe	v2379Rj.exe
PID 3456 wrote to memory of 4264	3456	zap7349.exe	v2379Rj.exe
PID 3456 wrote to memory of 4264	3456	zap7349.exe	v2379Rj.exe
PID 3844 wrote to memory of 5096	3844	zap7095.exe	w48TJ59.exe
PID 3844 wrote to memory of 5096	3844	zap7095.exe	w48TJ59.exe
PID 3844 wrote to memory of 5096	3844	zap7095.exe	w48TJ59.exe
PID 2436 wrote to memory of 3000	2436	zap1468.exe	xtGXA77.exe
PID 2436 wrote to memory of 3000	2436	zap1468.exe	xtGXA77.exe
PID 2436 wrote to memory of 3000	2436	zap1468.exe	xtGXA77.exe
PID 1248 wrote to memory of 4788	1248	6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe	y54VC03.exe
PID 1248 wrote to memory of 4788	1248	6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe	y54VC03.exe
PID 1248 wrote to memory of 4788	1248	6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe	y54VC03.exe
PID 4788 wrote to memory of 3412	4788	y54VC03.exe	legenda.exe
PID 4788 wrote to memory of 3412	4788	y54VC03.exe	legenda.exe
PID 4788 wrote to memory of 3412	4788	y54VC03.exe	legenda.exe
PID 3412 wrote to memory of 4824	3412	legenda.exe	schtasks.exe
PID 3412 wrote to memory of 4824	3412	legenda.exe	schtasks.exe
PID 3412 wrote to memory of 4824	3412	legenda.exe	schtasks.exe
PID 3412 wrote to memory of 3432	3412	legenda.exe	cmd.exe
PID 3412 wrote to memory of 3432	3412	legenda.exe	cmd.exe
PID 3412 wrote to memory of 3432	3412	legenda.exe	cmd.exe
PID 3432 wrote to memory of 5076	3432	cmd.exe	cmd.exe
PID 3432 wrote to memory of 5076	3432	cmd.exe	cmd.exe
PID 3432 wrote to memory of 5076	3432	cmd.exe	cmd.exe
PID 3432 wrote to memory of 1684	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 1684	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 1684	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 3584	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 3584	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 3584	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 2684	3432	cmd.exe	cmd.exe
PID 3432 wrote to memory of 2684	3432	cmd.exe	cmd.exe
PID 3432 wrote to memory of 2684	3432	cmd.exe	cmd.exe
PID 3432 wrote to memory of 2680	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 2680	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 2680	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 4888	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 4888	3432	cmd.exe	cacls.exe
PID 3432 wrote to memory of 4888	3432	cmd.exe	cacls.exe
PID 3412 wrote to memory of 1196	3412	legenda.exe	rundll32.exe
PID 3412 wrote to memory of 1196	3412	legenda.exe	rundll32.exe
PID 3412 wrote to memory of 1196	3412	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe
"C:\Users\Admin\AppData\Local\Temp\6a238ef557f48a9ff660863f0873d519443701833d1f3ecc9e9e474107493f84.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1468.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1468.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7095.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7095.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7349.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7349.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2744.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2744.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2379Rj.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2379Rj.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1084
6⤵
- Program crash
PID:1664

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48TJ59.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48TJ59.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1332
5⤵
- Program crash
PID:2792

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xtGXA77.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xtGXA77.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y54VC03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y54VC03.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5076

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1684

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2684

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:2680

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4888

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4264 -ip 4264
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5096 -ip 5096
1⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y54VC03.exe
Filesize
235KB

MD5
6bb5f769155e3a401244a247133dbc17

SHA1
bcc1f5945cab22daa622f46dab7590de3f60838c

SHA256
2b13d5b03f26635214542ac97fe386d8539c387d8bce50b021b9c06402784385

SHA512
3a2404c6e88eb290f61b3e5c877096fecc5debd99d48b78df033952ff89d8d91a22adb5fdd2655f1531ddc854c9703e96372eb60c07e7c79cfd19ad8698cc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y54VC03.exe
Filesize
235KB

MD5
6bb5f769155e3a401244a247133dbc17

SHA1
bcc1f5945cab22daa622f46dab7590de3f60838c

SHA256
2b13d5b03f26635214542ac97fe386d8539c387d8bce50b021b9c06402784385

SHA512
3a2404c6e88eb290f61b3e5c877096fecc5debd99d48b78df033952ff89d8d91a22adb5fdd2655f1531ddc854c9703e96372eb60c07e7c79cfd19ad8698cc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1468.exe
Filesize
853KB

MD5
e69f048b943a17b58fcb3cae715c1cbc

SHA1
989077dd705f4c260cbc872a363154f537f3403d

SHA256
ac78256c8cd9e8c39a7ee55a9c4a9ab0a3ed9204fee441cd627920e9e67d0e6f

SHA512
26cd03a54c5194783fa4af44984493a712052530149074174082af3ad6c137bbd2a83559fc01e4d6182998914ce6f255721b9d695d79369141c856eb6d28ba8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1468.exe
Filesize
853KB

MD5
e69f048b943a17b58fcb3cae715c1cbc

SHA1
989077dd705f4c260cbc872a363154f537f3403d

SHA256
ac78256c8cd9e8c39a7ee55a9c4a9ab0a3ed9204fee441cd627920e9e67d0e6f

SHA512
26cd03a54c5194783fa4af44984493a712052530149074174082af3ad6c137bbd2a83559fc01e4d6182998914ce6f255721b9d695d79369141c856eb6d28ba8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xtGXA77.exe
Filesize
175KB

MD5
4b1aec2c0bf7911688b9d7993c43fba2

SHA1
56a0c16667b39c92c0836eaf3ad4cedbd5e6daf5

SHA256
c1fe403b9b45ce0083a4e2e5d8c1b14fbbe8331fbe42e079350f99cb3e48e122

SHA512
c0459f5c08cc046cb46c2339bf2dbef43277c5858a747eb4c562bb39cb71d4ecbe79f2d08d713b033189ff3117bb81496521aa581c065cef80d5f2a702ebc268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xtGXA77.exe
Filesize
175KB

MD5
4b1aec2c0bf7911688b9d7993c43fba2

SHA1
56a0c16667b39c92c0836eaf3ad4cedbd5e6daf5

SHA256
c1fe403b9b45ce0083a4e2e5d8c1b14fbbe8331fbe42e079350f99cb3e48e122

SHA512
c0459f5c08cc046cb46c2339bf2dbef43277c5858a747eb4c562bb39cb71d4ecbe79f2d08d713b033189ff3117bb81496521aa581c065cef80d5f2a702ebc268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7095.exe
Filesize
711KB

MD5
cd9c149723ff6f88fffd086f5bb74f65

SHA1
fc298f4155b91854e390bcb7b7d7f38fa46a6f5d

SHA256
184a688fa452a5a7825e2c7fda80d8534e15ae8d8a66470c443bc95543d9020c

SHA512
89214a283dca2f107e862668d2e1d2517f4b63bbca482bcd6418527f1589130604e1e0e4e738ddf2a255cb8abb9f84b6f258a658dc5db71a6a595698cb291865

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7095.exe
Filesize
711KB

MD5
cd9c149723ff6f88fffd086f5bb74f65

SHA1
fc298f4155b91854e390bcb7b7d7f38fa46a6f5d

SHA256
184a688fa452a5a7825e2c7fda80d8534e15ae8d8a66470c443bc95543d9020c

SHA512
89214a283dca2f107e862668d2e1d2517f4b63bbca482bcd6418527f1589130604e1e0e4e738ddf2a255cb8abb9f84b6f258a658dc5db71a6a595698cb291865

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48TJ59.exe
Filesize
383KB

MD5
b43c45aea675ec82cfcef8c945ae419a

SHA1
1c2bf19c0c8196fd7e509f6a87d4e0bf1baf6e37

SHA256
90769df37a33292554014ba8148f611ea1045db76ac215d281fc03b87bdcd77a

SHA512
798cd12add2091425b2dfb967ca9103512d15766ff2d60f15422f52669496513948a46d630860b5c9f57ea6920a1edc1e44eb8be432b2545d1dbb3ca9f4ca4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w48TJ59.exe
Filesize
383KB

MD5
b43c45aea675ec82cfcef8c945ae419a

SHA1
1c2bf19c0c8196fd7e509f6a87d4e0bf1baf6e37

SHA256
90769df37a33292554014ba8148f611ea1045db76ac215d281fc03b87bdcd77a

SHA512
798cd12add2091425b2dfb967ca9103512d15766ff2d60f15422f52669496513948a46d630860b5c9f57ea6920a1edc1e44eb8be432b2545d1dbb3ca9f4ca4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7349.exe
Filesize
352KB

MD5
ea514cf2f6c6f4d33693960fc7cc32e5

SHA1
48a741a9d679d43cf2195d2cd2118a9c52540ccf

SHA256
f34df799ae02b20b5e790dda045e5673afc8ab32eea80cb18c4752cab9556966

SHA512
0c6e71a60947dc01196185d8da32d3727d40e4da51be9590ef2865b50af34e1d041188ebb36b35e277596c839c82e30c6ebc2d89202b0346f14a3b230f080320

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7349.exe
Filesize
352KB

MD5
ea514cf2f6c6f4d33693960fc7cc32e5

SHA1
48a741a9d679d43cf2195d2cd2118a9c52540ccf

SHA256
f34df799ae02b20b5e790dda045e5673afc8ab32eea80cb18c4752cab9556966

SHA512
0c6e71a60947dc01196185d8da32d3727d40e4da51be9590ef2865b50af34e1d041188ebb36b35e277596c839c82e30c6ebc2d89202b0346f14a3b230f080320

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2744.exe
Filesize
11KB

MD5
1512bcfb3b7bdfdcff7580626d727f21

SHA1
2857ad22f454b9b0de1586b7680c47b23ebb248d

SHA256
15f4f280c1144c200d8df96fd1be01cbd5b5908d21c1b3e3fcff5bcaba6e676a

SHA512
ea72094ec5ff856cb54f5829efac896341412cad373a9401b8ac6322bb41517901f115afa817bbabb6a7ccd7610739caefc92af08e4b06758f93dbd29c36b12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2744.exe
Filesize
11KB

MD5
1512bcfb3b7bdfdcff7580626d727f21

SHA1
2857ad22f454b9b0de1586b7680c47b23ebb248d

SHA256
15f4f280c1144c200d8df96fd1be01cbd5b5908d21c1b3e3fcff5bcaba6e676a

SHA512
ea72094ec5ff856cb54f5829efac896341412cad373a9401b8ac6322bb41517901f115afa817bbabb6a7ccd7610739caefc92af08e4b06758f93dbd29c36b12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2379Rj.exe
Filesize
325KB

MD5
74a8b7bde01014e28bb322edda9e0458

SHA1
26f08035644d40caa78988aa2a144250408f1492

SHA256
beeae6941e8406dd452906e09c143c42caa79916b67059165b661398d4577de7

SHA512
ca5e431a4e59717bb7b4a48fa7bdda1edff845dbeccdc43b66072809b0e09790b770754a9abb954d3c8430b7528f155db489dca02eb37ee6b9c53df090da5bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2379Rj.exe
Filesize
325KB

MD5
74a8b7bde01014e28bb322edda9e0458

SHA1
26f08035644d40caa78988aa2a144250408f1492

SHA256
beeae6941e8406dd452906e09c143c42caa79916b67059165b661398d4577de7

SHA512
ca5e431a4e59717bb7b4a48fa7bdda1edff845dbeccdc43b66072809b0e09790b770754a9abb954d3c8430b7528f155db489dca02eb37ee6b9c53df090da5bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
6bb5f769155e3a401244a247133dbc17

SHA1
bcc1f5945cab22daa622f46dab7590de3f60838c

SHA256
2b13d5b03f26635214542ac97fe386d8539c387d8bce50b021b9c06402784385

SHA512
3a2404c6e88eb290f61b3e5c877096fecc5debd99d48b78df033952ff89d8d91a22adb5fdd2655f1531ddc854c9703e96372eb60c07e7c79cfd19ad8698cc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
6bb5f769155e3a401244a247133dbc17

SHA1
bcc1f5945cab22daa622f46dab7590de3f60838c

SHA256
2b13d5b03f26635214542ac97fe386d8539c387d8bce50b021b9c06402784385

SHA512
3a2404c6e88eb290f61b3e5c877096fecc5debd99d48b78df033952ff89d8d91a22adb5fdd2655f1531ddc854c9703e96372eb60c07e7c79cfd19ad8698cc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
6bb5f769155e3a401244a247133dbc17

SHA1
bcc1f5945cab22daa622f46dab7590de3f60838c

SHA256
2b13d5b03f26635214542ac97fe386d8539c387d8bce50b021b9c06402784385

SHA512
3a2404c6e88eb290f61b3e5c877096fecc5debd99d48b78df033952ff89d8d91a22adb5fdd2655f1531ddc854c9703e96372eb60c07e7c79cfd19ad8698cc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
6bb5f769155e3a401244a247133dbc17

SHA1
bcc1f5945cab22daa622f46dab7590de3f60838c

SHA256
2b13d5b03f26635214542ac97fe386d8539c387d8bce50b021b9c06402784385

SHA512
3a2404c6e88eb290f61b3e5c877096fecc5debd99d48b78df033952ff89d8d91a22adb5fdd2655f1531ddc854c9703e96372eb60c07e7c79cfd19ad8698cc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
6bb5f769155e3a401244a247133dbc17

SHA1
bcc1f5945cab22daa622f46dab7590de3f60838c

SHA256
2b13d5b03f26635214542ac97fe386d8539c387d8bce50b021b9c06402784385

SHA512
3a2404c6e88eb290f61b3e5c877096fecc5debd99d48b78df033952ff89d8d91a22adb5fdd2655f1531ddc854c9703e96372eb60c07e7c79cfd19ad8698cc60e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/2208-161-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/3000-1141-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3000-1140-0x0000000000C70000-0x0000000000CA2000-memory.dmp

Filesize
200KB

Download
memory/4264-186-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-192-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-194-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-196-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-197-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/4264-198-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/4264-199-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/4264-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4264-202-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/4264-203-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/4264-204-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/4264-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4264-190-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-188-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-184-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-182-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-180-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-178-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-176-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-174-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-172-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-170-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-169-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4264-168-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/4264-167-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/5096-213-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-233-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-235-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-237-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-239-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-241-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-243-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-245-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-247-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-1120-0x0000000007930000-0x0000000007F48000-memory.dmp

Filesize
6.1MB

Download
memory/5096-1121-0x0000000007250000-0x000000000735A000-memory.dmp

Filesize
1.0MB

Download
memory/5096-1122-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/5096-1123-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/5096-1124-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/5096-1126-0x0000000008280000-0x00000000082E6000-memory.dmp

Filesize
408KB

Download
memory/5096-1127-0x0000000008930000-0x00000000089C2000-memory.dmp

Filesize
584KB

Download
memory/5096-1128-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/5096-1129-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/5096-1130-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/5096-1131-0x0000000009CB0000-0x0000000009D26000-memory.dmp

Filesize
472KB

Download
memory/5096-1132-0x0000000009D40000-0x0000000009D90000-memory.dmp

Filesize
320KB

Download
memory/5096-231-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-229-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-227-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-225-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-223-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-219-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-221-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-217-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-212-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/5096-215-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/5096-214-0x0000000004C60000-0x0000000004C9F000-memory.dmp

Filesize
252KB

Download
memory/5096-211-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/5096-210-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/5096-1133-0x0000000009EA0000-0x000000000A062000-memory.dmp

Filesize
1.8MB

Download
memory/5096-1134-0x000000000A070000-0x000000000A59C000-memory.dmp

Filesize
5.2MB

Download