amadey | a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae

Analysis

max time kernel
126s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe
Size

1.0MB
MD5

7dd9fcef9077933229ecce1496c96f6e
SHA1

b0080c09da640e368c554eaf88a5efa09641899d
SHA256

a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae
SHA512

5a20cf8ada1ba40e1204ff9edda00cf77b9d5b59be4c97c6d84a7f1bb921c38e8831c0d4fd3d83c619940d8cd7cbf4a1d36fa3af1d9fff97e695372bbe5941c6
SSDEEP

24576:vy72dGSmDyzevUYMg4NV0xCTS+84fbgvjra7kOEqzwoT:66T6JvU//NVJv8gbgvjm7AqUo

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1369.exev3317FC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v3317FC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v3317FC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v3317FC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v3317FC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v3317FC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1369.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1369.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v3317FC.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4420-213-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-214-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-216-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-218-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-220-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-222-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-224-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-226-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-228-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-230-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-232-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-234-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-236-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-238-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-240-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-242-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-244-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4420-246-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y77oZ98.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y77oZ98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap4131.exezap3079.exezap1587.exetz1369.exev3317FC.exew70Xh14.exexpfia61.exey77oZ98.exelegenda.exelegenda.exelegenda.exe

pid	process
4756	zap4131.exe
1384	zap3079.exe
4560	zap1587.exe
4632	tz1369.exe
1536	v3317FC.exe
4420	w70Xh14.exe
524	xpfia61.exe
3092	y77oZ98.exe
4156	legenda.exe
3944	legenda.exe
2280	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3600 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3600	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz1369.exev3317FC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1369.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v3317FC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v3317FC.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap4131.exezap3079.exezap1587.exea60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap4131.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap3079.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1587.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2232 1536 WerFault.exe v3317FC.exe
3464 4420 WerFault.exe w70Xh14.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3064 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1369.exev3317FC.exew70Xh14.exexpfia61.exe

pid process

4632 tz1369.exe
4632 tz1369.exe
1536 v3317FC.exe
1536 v3317FC.exe
4420 w70Xh14.exe
4420 w70Xh14.exe
524 xpfia61.exe
524 xpfia61.exe

pid	pid_target	process	target process
2232	1536	WerFault.exe	v3317FC.exe
3464	4420	WerFault.exe	w70Xh14.exe

pid	process
3064	schtasks.exe

pid	process
4632	tz1369.exe
4632	tz1369.exe
1536	v3317FC.exe
1536	v3317FC.exe
4420	w70Xh14.exe
4420	w70Xh14.exe
524	xpfia61.exe
524	xpfia61.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1369.exev3317FC.exew70Xh14.exexpfia61.exe

description	pid	process
Token: SeDebugPrivilege	4632	tz1369.exe
Token: SeDebugPrivilege	1536	v3317FC.exe
Token: SeDebugPrivilege	4420	w70Xh14.exe
Token: SeDebugPrivilege	524	xpfia61.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exezap4131.exezap3079.exezap1587.exey77oZ98.exelegenda.execmd.exe

description	pid	process	target process
PID 2744 wrote to memory of 4756	2744	a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe	zap4131.exe
PID 2744 wrote to memory of 4756	2744	a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe	zap4131.exe
PID 2744 wrote to memory of 4756	2744	a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe	zap4131.exe
PID 4756 wrote to memory of 1384	4756	zap4131.exe	zap3079.exe
PID 4756 wrote to memory of 1384	4756	zap4131.exe	zap3079.exe
PID 4756 wrote to memory of 1384	4756	zap4131.exe	zap3079.exe
PID 1384 wrote to memory of 4560	1384	zap3079.exe	zap1587.exe
PID 1384 wrote to memory of 4560	1384	zap3079.exe	zap1587.exe
PID 1384 wrote to memory of 4560	1384	zap3079.exe	zap1587.exe
PID 4560 wrote to memory of 4632	4560	zap1587.exe	tz1369.exe
PID 4560 wrote to memory of 4632	4560	zap1587.exe	tz1369.exe
PID 4560 wrote to memory of 1536	4560	zap1587.exe	v3317FC.exe
PID 4560 wrote to memory of 1536	4560	zap1587.exe	v3317FC.exe
PID 4560 wrote to memory of 1536	4560	zap1587.exe	v3317FC.exe
PID 1384 wrote to memory of 4420	1384	zap3079.exe	w70Xh14.exe
PID 1384 wrote to memory of 4420	1384	zap3079.exe	w70Xh14.exe
PID 1384 wrote to memory of 4420	1384	zap3079.exe	w70Xh14.exe
PID 4756 wrote to memory of 524	4756	zap4131.exe	xpfia61.exe
PID 4756 wrote to memory of 524	4756	zap4131.exe	xpfia61.exe
PID 4756 wrote to memory of 524	4756	zap4131.exe	xpfia61.exe
PID 2744 wrote to memory of 3092	2744	a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe	y77oZ98.exe
PID 2744 wrote to memory of 3092	2744	a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe	y77oZ98.exe
PID 2744 wrote to memory of 3092	2744	a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe	y77oZ98.exe
PID 3092 wrote to memory of 4156	3092	y77oZ98.exe	legenda.exe
PID 3092 wrote to memory of 4156	3092	y77oZ98.exe	legenda.exe
PID 3092 wrote to memory of 4156	3092	y77oZ98.exe	legenda.exe
PID 4156 wrote to memory of 3064	4156	legenda.exe	schtasks.exe
PID 4156 wrote to memory of 3064	4156	legenda.exe	schtasks.exe
PID 4156 wrote to memory of 3064	4156	legenda.exe	schtasks.exe
PID 4156 wrote to memory of 3748	4156	legenda.exe	cmd.exe
PID 4156 wrote to memory of 3748	4156	legenda.exe	cmd.exe
PID 4156 wrote to memory of 3748	4156	legenda.exe	cmd.exe
PID 3748 wrote to memory of 1592	3748	cmd.exe	cmd.exe
PID 3748 wrote to memory of 1592	3748	cmd.exe	cmd.exe
PID 3748 wrote to memory of 1592	3748	cmd.exe	cmd.exe
PID 3748 wrote to memory of 1236	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 1236	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 1236	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 4004	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 4004	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 4004	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 4668	3748	cmd.exe	cmd.exe
PID 3748 wrote to memory of 4668	3748	cmd.exe	cmd.exe
PID 3748 wrote to memory of 4668	3748	cmd.exe	cmd.exe
PID 3748 wrote to memory of 4272	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 4272	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 4272	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 1704	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 1704	3748	cmd.exe	cacls.exe
PID 3748 wrote to memory of 1704	3748	cmd.exe	cacls.exe
PID 4156 wrote to memory of 3600	4156	legenda.exe	rundll32.exe
PID 4156 wrote to memory of 3600	4156	legenda.exe	rundll32.exe
PID 4156 wrote to memory of 3600	4156	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe
"C:\Users\Admin\AppData\Local\Temp\a60e095f78689ac5e08883325fc0588b5abe6fec53d7c058a96c8a9488f788ae.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4131.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4131.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3079.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3079.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1587.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1587.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1369.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1369.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317FC.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317FC.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1080
6⤵
- Program crash
PID:2232

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w70Xh14.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w70Xh14.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1752
5⤵
- Program crash
PID:3464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpfia61.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpfia61.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77oZ98.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77oZ98.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1592

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1236

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4668

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4272

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:1704

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1536 -ip 1536
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4420 -ip 4420
1⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77oZ98.exe
Filesize
235KB

MD5
9ef702508d24345fe55dbd39e2a428e7

SHA1
aa8aa2fb5b1e308a40ef12e2a968597b1b6ebaed

SHA256
d6e68f73073334a02e4ea341414a8857119208b91772a13e25a7980bd9545b53

SHA512
3042534e9091d7e0073e58247a4f4b552d13664f6f925c536fb62bfe4dc0382921fe98c6c323ee0cbfffb0c1d753b11642d2f677d86e32b4956bdac8bb4bfeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77oZ98.exe
Filesize
235KB

MD5
9ef702508d24345fe55dbd39e2a428e7

SHA1
aa8aa2fb5b1e308a40ef12e2a968597b1b6ebaed

SHA256
d6e68f73073334a02e4ea341414a8857119208b91772a13e25a7980bd9545b53

SHA512
3042534e9091d7e0073e58247a4f4b552d13664f6f925c536fb62bfe4dc0382921fe98c6c323ee0cbfffb0c1d753b11642d2f677d86e32b4956bdac8bb4bfeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4131.exe
Filesize
854KB

MD5
330242c2cb394cbdb8e934bcffde106b

SHA1
182bad6ddc23c1555bf625577866e48939962d5c

SHA256
0218230c78a97c88e649af88dda33e07f2a7694c84ef614f4bd1b97e13d5a8a2

SHA512
eec2e5a37681ea4f8219ff998de87e4208d32dc1f2d7dc928b2d2737ec972d11bc5f80ed25033ef7e5ab6c05389a792f88b97ae7281d6ca6f7a92559b93e5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap4131.exe
Filesize
854KB

MD5
330242c2cb394cbdb8e934bcffde106b

SHA1
182bad6ddc23c1555bf625577866e48939962d5c

SHA256
0218230c78a97c88e649af88dda33e07f2a7694c84ef614f4bd1b97e13d5a8a2

SHA512
eec2e5a37681ea4f8219ff998de87e4208d32dc1f2d7dc928b2d2737ec972d11bc5f80ed25033ef7e5ab6c05389a792f88b97ae7281d6ca6f7a92559b93e5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpfia61.exe
Filesize
175KB

MD5
70166079a1207159e3d9ac78681a0b48

SHA1
4ec94849cc5a61413392d70589ed7e263cc16930

SHA256
7c9063f5df3de8a879a93d4e8247efc512af15af1482e0a7d70dfe79fdaf8a7e

SHA512
b647a83c1cdb3dbf9a33130af602fe8311877bbe81f4d1c3ee2279ad34f28a4e2ccfecb179f208fdc75e3b6a2f5f9189116cfddb71f73a34cd5067883e5c137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xpfia61.exe
Filesize
175KB

MD5
70166079a1207159e3d9ac78681a0b48

SHA1
4ec94849cc5a61413392d70589ed7e263cc16930

SHA256
7c9063f5df3de8a879a93d4e8247efc512af15af1482e0a7d70dfe79fdaf8a7e

SHA512
b647a83c1cdb3dbf9a33130af602fe8311877bbe81f4d1c3ee2279ad34f28a4e2ccfecb179f208fdc75e3b6a2f5f9189116cfddb71f73a34cd5067883e5c137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3079.exe
Filesize
712KB

MD5
e527718cedcf9d1444cd8f8133e55861

SHA1
1e064b074beaeb7285695c65f277d1f86426495b

SHA256
aceef13ebf4d87c8fac5203220b01be4cda20de4cdb08735234fb86a42310e6c

SHA512
d46cad7b42231d04a660eb0736a32235633e348b454853560f3ecf24813ffec2fc1b3b018839e92ed01752d8e9c204a9a8936d706bcd94a5d23cf6e462b2ef26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap3079.exe
Filesize
712KB

MD5
e527718cedcf9d1444cd8f8133e55861

SHA1
1e064b074beaeb7285695c65f277d1f86426495b

SHA256
aceef13ebf4d87c8fac5203220b01be4cda20de4cdb08735234fb86a42310e6c

SHA512
d46cad7b42231d04a660eb0736a32235633e348b454853560f3ecf24813ffec2fc1b3b018839e92ed01752d8e9c204a9a8936d706bcd94a5d23cf6e462b2ef26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w70Xh14.exe
Filesize
383KB

MD5
d41f38b585d51cc6b6e61a1222283a0a

SHA1
5301ee9093fd584b0aaf307299b7ca22a08dec79

SHA256
1eff2bac0209ae3cd0d7a05901580fa0b2e032cde24f4fb5f9a640299e9bbb92

SHA512
e5bff8335608f604f73f7cbf5a6c70da6002ed6b9b2b47802775330a7597a9490505e8d18d05afab43e66503ef368ad36300fbcaf6c7a9836cd1c4d43609c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w70Xh14.exe
Filesize
383KB

MD5
d41f38b585d51cc6b6e61a1222283a0a

SHA1
5301ee9093fd584b0aaf307299b7ca22a08dec79

SHA256
1eff2bac0209ae3cd0d7a05901580fa0b2e032cde24f4fb5f9a640299e9bbb92

SHA512
e5bff8335608f604f73f7cbf5a6c70da6002ed6b9b2b47802775330a7597a9490505e8d18d05afab43e66503ef368ad36300fbcaf6c7a9836cd1c4d43609c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1587.exe
Filesize
352KB

MD5
fcf738b43ee7a989b237bd9e0c95e4cb

SHA1
20e14a5742e56b29f6cfbae08ed2feba188c29d9

SHA256
88cfd63b96a843f6aa85cc697dcfb34259bda58746898ff24059cdf05b6bda4e

SHA512
a3eb33cd1e0eae628ae6e88ba15ec0ca0719fbc83547432b9657c93a725d17645720a8ae4fd931a14aef7743835edf2aed256525dcafaadfbc02cdcd97f50a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1587.exe
Filesize
352KB

MD5
fcf738b43ee7a989b237bd9e0c95e4cb

SHA1
20e14a5742e56b29f6cfbae08ed2feba188c29d9

SHA256
88cfd63b96a843f6aa85cc697dcfb34259bda58746898ff24059cdf05b6bda4e

SHA512
a3eb33cd1e0eae628ae6e88ba15ec0ca0719fbc83547432b9657c93a725d17645720a8ae4fd931a14aef7743835edf2aed256525dcafaadfbc02cdcd97f50a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1369.exe
Filesize
11KB

MD5
eae1894e0f1680f5c7a6c34400cd946b

SHA1
aab547803952f7c3a79cb5eec8e0431413350b4d

SHA256
7319ce126640102ebaedd3416de37e8159f6725a54677c1e655c75cbb8ecac96

SHA512
9436f113f8246f90297e766cd843c083f3f1d9c213512f68da754fb1c6e623923cab134fd9a6743ad2cb80c855555e73ec30c12f288b6b482af8a340a002ecc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1369.exe
Filesize
11KB

MD5
eae1894e0f1680f5c7a6c34400cd946b

SHA1
aab547803952f7c3a79cb5eec8e0431413350b4d

SHA256
7319ce126640102ebaedd3416de37e8159f6725a54677c1e655c75cbb8ecac96

SHA512
9436f113f8246f90297e766cd843c083f3f1d9c213512f68da754fb1c6e623923cab134fd9a6743ad2cb80c855555e73ec30c12f288b6b482af8a340a002ecc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317FC.exe
Filesize
325KB

MD5
d90ec946a4da825c50b656a0357f2203

SHA1
5b542a937939c8e4a55c0c0b3c7e4b52ad02d3b7

SHA256
1ceba7a813f50ba01fe7cca6bdcda7304884193e6f8bff636dd17ee96295d7b2

SHA512
77e71974fa7b0c5f98878a1b1038f4acc19788d435511acfd346e78fc5321827001b8f830db696d0903578bac0bbcc7862b6447fe400be07073896da83f96ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3317FC.exe
Filesize
325KB

MD5
d90ec946a4da825c50b656a0357f2203

SHA1
5b542a937939c8e4a55c0c0b3c7e4b52ad02d3b7

SHA256
1ceba7a813f50ba01fe7cca6bdcda7304884193e6f8bff636dd17ee96295d7b2

SHA512
77e71974fa7b0c5f98878a1b1038f4acc19788d435511acfd346e78fc5321827001b8f830db696d0903578bac0bbcc7862b6447fe400be07073896da83f96ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
9ef702508d24345fe55dbd39e2a428e7

SHA1
aa8aa2fb5b1e308a40ef12e2a968597b1b6ebaed

SHA256
d6e68f73073334a02e4ea341414a8857119208b91772a13e25a7980bd9545b53

SHA512
3042534e9091d7e0073e58247a4f4b552d13664f6f925c536fb62bfe4dc0382921fe98c6c323ee0cbfffb0c1d753b11642d2f677d86e32b4956bdac8bb4bfeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
9ef702508d24345fe55dbd39e2a428e7

SHA1
aa8aa2fb5b1e308a40ef12e2a968597b1b6ebaed

SHA256
d6e68f73073334a02e4ea341414a8857119208b91772a13e25a7980bd9545b53

SHA512
3042534e9091d7e0073e58247a4f4b552d13664f6f925c536fb62bfe4dc0382921fe98c6c323ee0cbfffb0c1d753b11642d2f677d86e32b4956bdac8bb4bfeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
9ef702508d24345fe55dbd39e2a428e7

SHA1
aa8aa2fb5b1e308a40ef12e2a968597b1b6ebaed

SHA256
d6e68f73073334a02e4ea341414a8857119208b91772a13e25a7980bd9545b53

SHA512
3042534e9091d7e0073e58247a4f4b552d13664f6f925c536fb62bfe4dc0382921fe98c6c323ee0cbfffb0c1d753b11642d2f677d86e32b4956bdac8bb4bfeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
9ef702508d24345fe55dbd39e2a428e7

SHA1
aa8aa2fb5b1e308a40ef12e2a968597b1b6ebaed

SHA256
d6e68f73073334a02e4ea341414a8857119208b91772a13e25a7980bd9545b53

SHA512
3042534e9091d7e0073e58247a4f4b552d13664f6f925c536fb62bfe4dc0382921fe98c6c323ee0cbfffb0c1d753b11642d2f677d86e32b4956bdac8bb4bfeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
9ef702508d24345fe55dbd39e2a428e7

SHA1
aa8aa2fb5b1e308a40ef12e2a968597b1b6ebaed

SHA256
d6e68f73073334a02e4ea341414a8857119208b91772a13e25a7980bd9545b53

SHA512
3042534e9091d7e0073e58247a4f4b552d13664f6f925c536fb62bfe4dc0382921fe98c6c323ee0cbfffb0c1d753b11642d2f677d86e32b4956bdac8bb4bfeac

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/524-1141-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/524-1140-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/524-1139-0x0000000000F60000-0x0000000000F92000-memory.dmp

Filesize
200KB

Download
memory/1536-167-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/1536-196-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/1536-197-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1536-198-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1536-199-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1536-200-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1536-201-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1536-203-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/1536-204-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1536-195-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-193-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-191-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-189-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-187-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-185-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-183-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-181-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-179-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-175-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-177-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-173-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-171-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-169-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/1536-168-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/4420-218-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-236-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-238-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-240-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-242-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-244-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-246-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-1119-0x0000000007790000-0x0000000007DA8000-memory.dmp

Filesize
6.1MB

Download
memory/4420-1120-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4420-1121-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4420-1122-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/4420-1123-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4420-1125-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/4420-1126-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/4420-1127-0x0000000008C60000-0x0000000008CD6000-memory.dmp

Filesize
472KB

Download
memory/4420-1128-0x0000000008CF0000-0x0000000008D40000-memory.dmp

Filesize
320KB

Download
memory/4420-1129-0x0000000008D60000-0x0000000008F22000-memory.dmp

Filesize
1.8MB

Download
memory/4420-1131-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4420-1130-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4420-1132-0x0000000008F40000-0x000000000946C000-memory.dmp

Filesize
5.2MB

Download
memory/4420-234-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-232-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-230-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-228-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-226-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-224-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-222-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-220-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-216-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-214-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-213-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4420-212-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4420-210-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4420-211-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4420-209-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/4420-1134-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4632-161-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download