amadey | 995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe
Size

1.0MB
MD5

b2d12f80fd2e690ff72c44a4f5a39cd6
SHA1

e1d9b8f9e005da4935de270a71a8a74a5ac9d1f2
SHA256

995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3
SHA512

d192c01feb6b46ea52b432fe6057f283d63b419dab1660c5ce361dc56459392a700f349af559d779a21897fe3d2d20613a3667e40212d1be31f8eb572e7d71be
SSDEEP

24576:7ye+HbZAGiNRQWN99mCtFi1B7/v3rWFNL5TiD7SF:ue+7m8WNvZtWrWFlRL

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v2201np.exetz7055.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2201np.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2201np.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz7055.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz7055.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz7055.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz7055.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v2201np.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2201np.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz7055.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz7055.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2201np.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2201np.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4936-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-221-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-223-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-217-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-225-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-227-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-229-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-231-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-233-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-235-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-237-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-239-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-241-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-243-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-245-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/4936-247-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y42fh23.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y42fh23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap6760.exezap7357.exezap0762.exetz7055.exev2201np.exew35Dw84.exexUtPR00.exey42fh23.exelegenda.exelegenda.exelegenda.exe

pid	process
2472	zap6760.exe
2124	zap7357.exe
2724	zap0762.exe
4408	tz7055.exe
216	v2201np.exe
4936	w35Dw84.exe
5092	xUtPR00.exe
3672	y42fh23.exe
1204	legenda.exe
1476	legenda.exe
4412	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4136 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4136	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz7055.exev2201np.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz7055.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2201np.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2201np.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap0762.exe995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exezap6760.exezap7357.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0762.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap0762.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap6760.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7357.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7357.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4832 216 WerFault.exe v2201np.exe
2876 4936 WerFault.exe w35Dw84.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1308 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz7055.exev2201np.exew35Dw84.exexUtPR00.exe

pid process

4408 tz7055.exe
4408 tz7055.exe
216 v2201np.exe
216 v2201np.exe
4936 w35Dw84.exe
4936 w35Dw84.exe
5092 xUtPR00.exe
5092 xUtPR00.exe

pid	pid_target	process	target process
4832	216	WerFault.exe	v2201np.exe
2876	4936	WerFault.exe	w35Dw84.exe

pid	process
1308	schtasks.exe

pid	process
4408	tz7055.exe
4408	tz7055.exe
216	v2201np.exe
216	v2201np.exe
4936	w35Dw84.exe
4936	w35Dw84.exe
5092	xUtPR00.exe
5092	xUtPR00.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz7055.exev2201np.exew35Dw84.exexUtPR00.exe

description	pid	process
Token: SeDebugPrivilege	4408	tz7055.exe
Token: SeDebugPrivilege	216	v2201np.exe
Token: SeDebugPrivilege	4936	w35Dw84.exe
Token: SeDebugPrivilege	5092	xUtPR00.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exezap6760.exezap7357.exezap0762.exey42fh23.exelegenda.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 2472	1084	995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe	zap6760.exe
PID 1084 wrote to memory of 2472	1084	995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe	zap6760.exe
PID 1084 wrote to memory of 2472	1084	995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe	zap6760.exe
PID 2472 wrote to memory of 2124	2472	zap6760.exe	zap7357.exe
PID 2472 wrote to memory of 2124	2472	zap6760.exe	zap7357.exe
PID 2472 wrote to memory of 2124	2472	zap6760.exe	zap7357.exe
PID 2124 wrote to memory of 2724	2124	zap7357.exe	zap0762.exe
PID 2124 wrote to memory of 2724	2124	zap7357.exe	zap0762.exe
PID 2124 wrote to memory of 2724	2124	zap7357.exe	zap0762.exe
PID 2724 wrote to memory of 4408	2724	zap0762.exe	tz7055.exe
PID 2724 wrote to memory of 4408	2724	zap0762.exe	tz7055.exe
PID 2724 wrote to memory of 216	2724	zap0762.exe	v2201np.exe
PID 2724 wrote to memory of 216	2724	zap0762.exe	v2201np.exe
PID 2724 wrote to memory of 216	2724	zap0762.exe	v2201np.exe
PID 2124 wrote to memory of 4936	2124	zap7357.exe	w35Dw84.exe
PID 2124 wrote to memory of 4936	2124	zap7357.exe	w35Dw84.exe
PID 2124 wrote to memory of 4936	2124	zap7357.exe	w35Dw84.exe
PID 2472 wrote to memory of 5092	2472	zap6760.exe	xUtPR00.exe
PID 2472 wrote to memory of 5092	2472	zap6760.exe	xUtPR00.exe
PID 2472 wrote to memory of 5092	2472	zap6760.exe	xUtPR00.exe
PID 1084 wrote to memory of 3672	1084	995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe	y42fh23.exe
PID 1084 wrote to memory of 3672	1084	995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe	y42fh23.exe
PID 1084 wrote to memory of 3672	1084	995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe	y42fh23.exe
PID 3672 wrote to memory of 1204	3672	y42fh23.exe	legenda.exe
PID 3672 wrote to memory of 1204	3672	y42fh23.exe	legenda.exe
PID 3672 wrote to memory of 1204	3672	y42fh23.exe	legenda.exe
PID 1204 wrote to memory of 1308	1204	legenda.exe	schtasks.exe
PID 1204 wrote to memory of 1308	1204	legenda.exe	schtasks.exe
PID 1204 wrote to memory of 1308	1204	legenda.exe	schtasks.exe
PID 1204 wrote to memory of 2352	1204	legenda.exe	cmd.exe
PID 1204 wrote to memory of 2352	1204	legenda.exe	cmd.exe
PID 1204 wrote to memory of 2352	1204	legenda.exe	cmd.exe
PID 2352 wrote to memory of 3816	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3816	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3816	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4956	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 4956	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 4956	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 1064	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 1064	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 1064	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 632	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 632	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 632	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2004	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 2004	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 2004	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 2188	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 2188	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 2188	2352	cmd.exe	cacls.exe
PID 1204 wrote to memory of 4136	1204	legenda.exe	rundll32.exe
PID 1204 wrote to memory of 4136	1204	legenda.exe	rundll32.exe
PID 1204 wrote to memory of 4136	1204	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe
"C:\Users\Admin\AppData\Local\Temp\995154d1aab232c99a38fb38887817c45497434ba01133692f670d96cd3c95a3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6760.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6760.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7357.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7357.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0762.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0762.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7055.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7055.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2201np.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2201np.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1008
6⤵
- Program crash
PID:4832

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w35Dw84.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w35Dw84.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1340
5⤵
- Program crash
PID:2876

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUtPR00.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUtPR00.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y42fh23.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y42fh23.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3816

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4956

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:632

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:2004

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2188

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 216 -ip 216
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4936 -ip 4936
1⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1476

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y42fh23.exe
Filesize
235KB

MD5
186c1e2614cbb87d6f72f2b5e3058394

SHA1
d3f022ba946ce30433bcb6342382442f6e229677

SHA256
6a2f638889f8f931d13ed372f18345c2d3ccd6a2451d74e7181fb49362db1296

SHA512
d8c50a5a89b561fb26a515f5f415d00707825f7d41cec15232bb63b104f284e96e77624120dc2e2ce4fa0710b91e4c737c7ef1a73cee1460023efb30d4c2159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y42fh23.exe
Filesize
235KB

MD5
186c1e2614cbb87d6f72f2b5e3058394

SHA1
d3f022ba946ce30433bcb6342382442f6e229677

SHA256
6a2f638889f8f931d13ed372f18345c2d3ccd6a2451d74e7181fb49362db1296

SHA512
d8c50a5a89b561fb26a515f5f415d00707825f7d41cec15232bb63b104f284e96e77624120dc2e2ce4fa0710b91e4c737c7ef1a73cee1460023efb30d4c2159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6760.exe
Filesize
855KB

MD5
b3ef6716efdf741713404f18a116f849

SHA1
ba9f1c4711d5a9c56b6e1c7d5c18b4333526e376

SHA256
d5ea377410a66211d3069b8ffcde86fdb6f09f0c9dee1c662d6f8c63178474f8

SHA512
d0b9b2f1545af86aae12c3010f208d75a927c7548def173d9106355093e0d6a0f980d3fc4ff1f077903ed372cb3086412ca368e6f2fbfe9f299560eaef34969f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6760.exe
Filesize
855KB

MD5
b3ef6716efdf741713404f18a116f849

SHA1
ba9f1c4711d5a9c56b6e1c7d5c18b4333526e376

SHA256
d5ea377410a66211d3069b8ffcde86fdb6f09f0c9dee1c662d6f8c63178474f8

SHA512
d0b9b2f1545af86aae12c3010f208d75a927c7548def173d9106355093e0d6a0f980d3fc4ff1f077903ed372cb3086412ca368e6f2fbfe9f299560eaef34969f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUtPR00.exe
Filesize
175KB

MD5
80e1517777557781b0316336147c57ec

SHA1
467824257355c5bc2f27f5b08239996aede6c5d1

SHA256
9bf34580ec14f844a9a43949bdb9119c84274504ce3b10a19f14756bdde9bd3c

SHA512
1f52f0a3f9bdb73b721d83031cafffd5b8b53d6b1ac44b4a3f7865ff8f52459513f115ba781c51c31935f989155c1e508df308a147d3e08a9845685572676e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUtPR00.exe
Filesize
175KB

MD5
80e1517777557781b0316336147c57ec

SHA1
467824257355c5bc2f27f5b08239996aede6c5d1

SHA256
9bf34580ec14f844a9a43949bdb9119c84274504ce3b10a19f14756bdde9bd3c

SHA512
1f52f0a3f9bdb73b721d83031cafffd5b8b53d6b1ac44b4a3f7865ff8f52459513f115ba781c51c31935f989155c1e508df308a147d3e08a9845685572676e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7357.exe
Filesize
713KB

MD5
940e22ddddefb08072745208b35b150a

SHA1
1c5865a1a810bdbd85f5fb82ee51c004d1254bc8

SHA256
51ad49e362c2656e1a6f22d453f8476ccc24831d364162baff77e89a733d2720

SHA512
c97402a831e48d6e08dc1df932948579ef66c38405a4751095efb5410534f482608ca622383da2e72cc5749673629c93a938b24f8eb8961463ce645feeb5971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7357.exe
Filesize
713KB

MD5
940e22ddddefb08072745208b35b150a

SHA1
1c5865a1a810bdbd85f5fb82ee51c004d1254bc8

SHA256
51ad49e362c2656e1a6f22d453f8476ccc24831d364162baff77e89a733d2720

SHA512
c97402a831e48d6e08dc1df932948579ef66c38405a4751095efb5410534f482608ca622383da2e72cc5749673629c93a938b24f8eb8961463ce645feeb5971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w35Dw84.exe
Filesize
383KB

MD5
2b21f8c7b4a1dc5db36c055293b9bb73

SHA1
405c20706e91b8efdf04d9cd468ee04ab9dfbb55

SHA256
5f2635cc01f7931717cc866b37cd463b853970c137e1620826b10a829eea17b4

SHA512
7af733c04dd23b732adfa175c21bfd49cdf3dc51769d075c040847cf9abea7f0f2aef4728ad989acbb6a7ce9d9e2e98b470cbeb9ac7a44ecee699a83666c59e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w35Dw84.exe
Filesize
383KB

MD5
2b21f8c7b4a1dc5db36c055293b9bb73

SHA1
405c20706e91b8efdf04d9cd468ee04ab9dfbb55

SHA256
5f2635cc01f7931717cc866b37cd463b853970c137e1620826b10a829eea17b4

SHA512
7af733c04dd23b732adfa175c21bfd49cdf3dc51769d075c040847cf9abea7f0f2aef4728ad989acbb6a7ce9d9e2e98b470cbeb9ac7a44ecee699a83666c59e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0762.exe
Filesize
352KB

MD5
82ff2684423ac767a52d6c0314430a34

SHA1
1912f4a5a2fb9b2bc844b78d6fc2eb2baa58070b

SHA256
b9946a7392a8e98e06b15e882b6defdc3c4a12fcc597a911da731a41b775798c

SHA512
03509ba86b9a3868c539155e2e2a063e550e87722efabd53db335390708e43d4ddf390d9ef6dc444ec837f8e37f45c9724f54f7ea635880fe047fb3dff64b830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0762.exe
Filesize
352KB

MD5
82ff2684423ac767a52d6c0314430a34

SHA1
1912f4a5a2fb9b2bc844b78d6fc2eb2baa58070b

SHA256
b9946a7392a8e98e06b15e882b6defdc3c4a12fcc597a911da731a41b775798c

SHA512
03509ba86b9a3868c539155e2e2a063e550e87722efabd53db335390708e43d4ddf390d9ef6dc444ec837f8e37f45c9724f54f7ea635880fe047fb3dff64b830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7055.exe
Filesize
11KB

MD5
6e9e3d86bad78e70b5499ad54d5f6024

SHA1
cec0fa05d527e64e4a67c1c7d3e9faaa0b6fc095

SHA256
653b601d2f184028af2daa11d2b8fb0f3edf7c3bc63b321e1841929cceb73bac

SHA512
87af46a2d6ded27f4c57722a157c81a29e08d2aa2fd05a7b5a433ea1b02d5e35ef2d221a4ce9e5be99137d88e7498a205c7ef56aafd72e5b8116d59b369e97c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7055.exe
Filesize
11KB

MD5
6e9e3d86bad78e70b5499ad54d5f6024

SHA1
cec0fa05d527e64e4a67c1c7d3e9faaa0b6fc095

SHA256
653b601d2f184028af2daa11d2b8fb0f3edf7c3bc63b321e1841929cceb73bac

SHA512
87af46a2d6ded27f4c57722a157c81a29e08d2aa2fd05a7b5a433ea1b02d5e35ef2d221a4ce9e5be99137d88e7498a205c7ef56aafd72e5b8116d59b369e97c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2201np.exe
Filesize
325KB

MD5
ce8194b7b02423a7ee9492bf03c806d1

SHA1
a20b405d0dea65257ae8350c9d6581bca85f9ee3

SHA256
5538406df0ff4ed581d36127e2def606d6208e11391ab9e61fa6082abb1f6992

SHA512
eaafb0f2b1a925215c14f8c7bd1ebad3877bdd3bd2da2217e009904c705d4b3cd0340724e04b91482dac04b0e147462b1c69a9cdfee2d0bc8d994ccff8943a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2201np.exe
Filesize
325KB

MD5
ce8194b7b02423a7ee9492bf03c806d1

SHA1
a20b405d0dea65257ae8350c9d6581bca85f9ee3

SHA256
5538406df0ff4ed581d36127e2def606d6208e11391ab9e61fa6082abb1f6992

SHA512
eaafb0f2b1a925215c14f8c7bd1ebad3877bdd3bd2da2217e009904c705d4b3cd0340724e04b91482dac04b0e147462b1c69a9cdfee2d0bc8d994ccff8943a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
186c1e2614cbb87d6f72f2b5e3058394

SHA1
d3f022ba946ce30433bcb6342382442f6e229677

SHA256
6a2f638889f8f931d13ed372f18345c2d3ccd6a2451d74e7181fb49362db1296

SHA512
d8c50a5a89b561fb26a515f5f415d00707825f7d41cec15232bb63b104f284e96e77624120dc2e2ce4fa0710b91e4c737c7ef1a73cee1460023efb30d4c2159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
186c1e2614cbb87d6f72f2b5e3058394

SHA1
d3f022ba946ce30433bcb6342382442f6e229677

SHA256
6a2f638889f8f931d13ed372f18345c2d3ccd6a2451d74e7181fb49362db1296

SHA512
d8c50a5a89b561fb26a515f5f415d00707825f7d41cec15232bb63b104f284e96e77624120dc2e2ce4fa0710b91e4c737c7ef1a73cee1460023efb30d4c2159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
186c1e2614cbb87d6f72f2b5e3058394

SHA1
d3f022ba946ce30433bcb6342382442f6e229677

SHA256
6a2f638889f8f931d13ed372f18345c2d3ccd6a2451d74e7181fb49362db1296

SHA512
d8c50a5a89b561fb26a515f5f415d00707825f7d41cec15232bb63b104f284e96e77624120dc2e2ce4fa0710b91e4c737c7ef1a73cee1460023efb30d4c2159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
186c1e2614cbb87d6f72f2b5e3058394

SHA1
d3f022ba946ce30433bcb6342382442f6e229677

SHA256
6a2f638889f8f931d13ed372f18345c2d3ccd6a2451d74e7181fb49362db1296

SHA512
d8c50a5a89b561fb26a515f5f415d00707825f7d41cec15232bb63b104f284e96e77624120dc2e2ce4fa0710b91e4c737c7ef1a73cee1460023efb30d4c2159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
186c1e2614cbb87d6f72f2b5e3058394

SHA1
d3f022ba946ce30433bcb6342382442f6e229677

SHA256
6a2f638889f8f931d13ed372f18345c2d3ccd6a2451d74e7181fb49362db1296

SHA512
d8c50a5a89b561fb26a515f5f415d00707825f7d41cec15232bb63b104f284e96e77624120dc2e2ce4fa0710b91e4c737c7ef1a73cee1460023efb30d4c2159d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/216-185-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-175-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-191-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-193-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-195-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-197-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-198-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/216-199-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/216-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/216-201-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/216-203-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/216-204-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/216-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/216-167-0x0000000002DA0000-0x0000000002DCD000-memory.dmp

Filesize
180KB

Download
memory/216-187-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-183-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-181-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-179-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-177-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-189-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-173-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-171-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-170-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/216-169-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download
memory/216-168-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4408-161-0x00000000008F0000-0x00000000008FA000-memory.dmp

Filesize
40KB

Download
memory/4936-218-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4936-1130-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4936-233-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-235-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-237-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-239-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-241-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-243-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-245-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-247-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-1120-0x0000000007920000-0x0000000007F38000-memory.dmp

Filesize
6.1MB

Download
memory/4936-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4936-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4936-1123-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4936-1124-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4936-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4936-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4936-1128-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4936-1129-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4936-231-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-1131-0x0000000008DC0000-0x0000000008E36000-memory.dmp

Filesize
472KB

Download
memory/4936-1132-0x0000000008E50000-0x0000000008EA0000-memory.dmp

Filesize
320KB

Download
memory/4936-1134-0x0000000009000000-0x00000000091C2000-memory.dmp

Filesize
1.8MB

Download
memory/4936-1133-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4936-229-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-1135-0x00000000091D0000-0x00000000096FC000-memory.dmp

Filesize
5.2MB

Download
memory/4936-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-227-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-225-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-217-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-223-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-221-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-220-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4936-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4936-216-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4936-215-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/5092-1142-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/5092-1141-0x00000000000F0000-0x0000000000122000-memory.dmp

Filesize
200KB

Download