amadey | 9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776

Analysis

max time kernel
141s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe
Size

1.0MB
MD5

d7be7b1df427a0af232be0f6d3d2fec2
SHA1

d6b1640cf4408e106dbcafed80de987b959e3f8c
SHA256

9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776
SHA512

0c849ccb6ff3e66988f8a897aab331eabe8b015656829b51e1c7bb0d5a266a2c215b42dc82d9965aa3b9bd0590c4dd5ff86385bea1c1bd363bacca9cca7724a1
SSDEEP

12288:FMrFy90ugmRfBiXZOhNdLmnaqTu80FQ1QlIyYclFMx3727MMXBRTyywXCu6etVrH:wyz+ZOBLmX51QqcP83aXWPCZetpDD

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v2109gZ.exetz1204.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v2109gZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v2109gZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v2109gZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v2109gZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v2109gZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v2109gZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1204.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2628-210-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-211-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-213-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-215-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-217-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-219-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-221-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-223-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-225-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-228-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-232-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-234-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-236-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-238-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-240-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-242-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-244-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/2628-246-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legenda.exey13KG90.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y13KG90.exe

Executes dropped EXE 11 IoCs

Processes:

zap8075.exezap8726.exezap1910.exetz1204.exev2109gZ.exew79Eb05.exexHZkj11.exey13KG90.exelegenda.exelegenda.exelegenda.exe

pid	process
2596	zap8075.exe
4280	zap8726.exe
4376	zap1910.exe
4700	tz1204.exe
4744	v2109gZ.exe
2628	w79Eb05.exe
5016	xHZkj11.exe
2684	y13KG90.exe
3960	legenda.exe
1648	legenda.exe
4488	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3992 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3992	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz1204.exev2109gZ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1204.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v2109gZ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v2109gZ.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8075.exezap8726.exezap1910.exe9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8075.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap8726.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1910.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1910.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3616 4744 WerFault.exe v2109gZ.exe
2056 2628 WerFault.exe w79Eb05.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

448 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1204.exev2109gZ.exew79Eb05.exexHZkj11.exe

pid process

4700 tz1204.exe
4700 tz1204.exe
4744 v2109gZ.exe
4744 v2109gZ.exe
2628 w79Eb05.exe
2628 w79Eb05.exe
5016 xHZkj11.exe
5016 xHZkj11.exe

pid	pid_target	process	target process
3616	4744	WerFault.exe	v2109gZ.exe
2056	2628	WerFault.exe	w79Eb05.exe

pid	process
448	schtasks.exe

pid	process
4700	tz1204.exe
4700	tz1204.exe
4744	v2109gZ.exe
4744	v2109gZ.exe
2628	w79Eb05.exe
2628	w79Eb05.exe
5016	xHZkj11.exe
5016	xHZkj11.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1204.exev2109gZ.exew79Eb05.exexHZkj11.exe

description	pid	process
Token: SeDebugPrivilege	4700	tz1204.exe
Token: SeDebugPrivilege	4744	v2109gZ.exe
Token: SeDebugPrivilege	2628	w79Eb05.exe
Token: SeDebugPrivilege	5016	xHZkj11.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exezap8075.exezap8726.exezap1910.exey13KG90.exelegenda.execmd.exe

description	pid	process	target process
PID 4784 wrote to memory of 2596	4784	9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe	zap8075.exe
PID 4784 wrote to memory of 2596	4784	9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe	zap8075.exe
PID 4784 wrote to memory of 2596	4784	9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe	zap8075.exe
PID 2596 wrote to memory of 4280	2596	zap8075.exe	zap8726.exe
PID 2596 wrote to memory of 4280	2596	zap8075.exe	zap8726.exe
PID 2596 wrote to memory of 4280	2596	zap8075.exe	zap8726.exe
PID 4280 wrote to memory of 4376	4280	zap8726.exe	zap1910.exe
PID 4280 wrote to memory of 4376	4280	zap8726.exe	zap1910.exe
PID 4280 wrote to memory of 4376	4280	zap8726.exe	zap1910.exe
PID 4376 wrote to memory of 4700	4376	zap1910.exe	tz1204.exe
PID 4376 wrote to memory of 4700	4376	zap1910.exe	tz1204.exe
PID 4376 wrote to memory of 4744	4376	zap1910.exe	v2109gZ.exe
PID 4376 wrote to memory of 4744	4376	zap1910.exe	v2109gZ.exe
PID 4376 wrote to memory of 4744	4376	zap1910.exe	v2109gZ.exe
PID 4280 wrote to memory of 2628	4280	zap8726.exe	w79Eb05.exe
PID 4280 wrote to memory of 2628	4280	zap8726.exe	w79Eb05.exe
PID 4280 wrote to memory of 2628	4280	zap8726.exe	w79Eb05.exe
PID 2596 wrote to memory of 5016	2596	zap8075.exe	xHZkj11.exe
PID 2596 wrote to memory of 5016	2596	zap8075.exe	xHZkj11.exe
PID 2596 wrote to memory of 5016	2596	zap8075.exe	xHZkj11.exe
PID 4784 wrote to memory of 2684	4784	9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe	y13KG90.exe
PID 4784 wrote to memory of 2684	4784	9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe	y13KG90.exe
PID 4784 wrote to memory of 2684	4784	9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe	y13KG90.exe
PID 2684 wrote to memory of 3960	2684	y13KG90.exe	legenda.exe
PID 2684 wrote to memory of 3960	2684	y13KG90.exe	legenda.exe
PID 2684 wrote to memory of 3960	2684	y13KG90.exe	legenda.exe
PID 3960 wrote to memory of 448	3960	legenda.exe	schtasks.exe
PID 3960 wrote to memory of 448	3960	legenda.exe	schtasks.exe
PID 3960 wrote to memory of 448	3960	legenda.exe	schtasks.exe
PID 3960 wrote to memory of 1592	3960	legenda.exe	cmd.exe
PID 3960 wrote to memory of 1592	3960	legenda.exe	cmd.exe
PID 3960 wrote to memory of 1592	3960	legenda.exe	cmd.exe
PID 1592 wrote to memory of 4848	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 4848	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 4848	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 1240	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 1240	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 1240	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 2128	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 2128	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 2128	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 900	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 900	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 900	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 4604	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 4604	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 4604	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 2616	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 2616	1592	cmd.exe	cacls.exe
PID 1592 wrote to memory of 2616	1592	cmd.exe	cacls.exe
PID 3960 wrote to memory of 3992	3960	legenda.exe	rundll32.exe
PID 3960 wrote to memory of 3992	3960	legenda.exe	rundll32.exe
PID 3960 wrote to memory of 3992	3960	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe
"C:\Users\Admin\AppData\Local\Temp\9b1d9638dcd5de847cb9ec0f1ffd6c618aa384668b8c8e4fc749e75c6edeb776.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8075.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8075.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8726.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8726.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1910.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1910.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1204.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1204.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2109gZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2109gZ.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1080
6⤵
- Program crash
PID:3616

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w79Eb05.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w79Eb05.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1344
5⤵
- Program crash
PID:2056

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHZkj11.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHZkj11.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y13KG90.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y13KG90.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4848

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1240

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:900

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4604

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2616

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4744 -ip 4744
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2628 -ip 2628
1⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y13KG90.exe
Filesize
235KB

MD5
dde52de9dda90800a3ac20cf9c056752

SHA1
54a6151216d9160b14baf6e6f0298a9a178f07e2

SHA256
b47962c1d05d402803ddb85f650fb45361a87e225674d4ae55db9db96b55acb5

SHA512
dff1c7fad5993f9924d5bfccf9077c6541311e553b27887a7f1c6560d4727287403a547d9271ccd2d12f28aa94a62fabdf405cff3248d30173d7d668dd3bbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y13KG90.exe
Filesize
235KB

MD5
dde52de9dda90800a3ac20cf9c056752

SHA1
54a6151216d9160b14baf6e6f0298a9a178f07e2

SHA256
b47962c1d05d402803ddb85f650fb45361a87e225674d4ae55db9db96b55acb5

SHA512
dff1c7fad5993f9924d5bfccf9077c6541311e553b27887a7f1c6560d4727287403a547d9271ccd2d12f28aa94a62fabdf405cff3248d30173d7d668dd3bbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8075.exe
Filesize
853KB

MD5
21655c512c40a4b6c723d23fe14ffb24

SHA1
80a486af1e412ac433e15e2827cadbf09100226a

SHA256
995543e6eb68e772fbfe161e11cdf817a63dc4a2687644f430fd2d36ef99a6fa

SHA512
113a85bedeeff181a2db806a6c1cb82ab8481bd25464aae96a5c44e3d08ddd79adb7e06a8a4832b59edc5c6a2d64c3507e49799da7b5b59786407c15695e7848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8075.exe
Filesize
853KB

MD5
21655c512c40a4b6c723d23fe14ffb24

SHA1
80a486af1e412ac433e15e2827cadbf09100226a

SHA256
995543e6eb68e772fbfe161e11cdf817a63dc4a2687644f430fd2d36ef99a6fa

SHA512
113a85bedeeff181a2db806a6c1cb82ab8481bd25464aae96a5c44e3d08ddd79adb7e06a8a4832b59edc5c6a2d64c3507e49799da7b5b59786407c15695e7848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHZkj11.exe
Filesize
175KB

MD5
a29295f7c4a7eeb1b9e5699151d0d52f

SHA1
9b6e0d5a5c9969b72fbcb5b695633f9b007f9469

SHA256
2065602fc412175529d844ed7f050b9691820e48da96a526ed072a2637148ea6

SHA512
ee0bafa8306ac421d4e2a263ee5fb859a161803832ca65225d47be9f1d3254f2700c35c741894274520bd3c85a58e3461eeb22ce0023b40cad0e15a353cf31a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xHZkj11.exe
Filesize
175KB

MD5
a29295f7c4a7eeb1b9e5699151d0d52f

SHA1
9b6e0d5a5c9969b72fbcb5b695633f9b007f9469

SHA256
2065602fc412175529d844ed7f050b9691820e48da96a526ed072a2637148ea6

SHA512
ee0bafa8306ac421d4e2a263ee5fb859a161803832ca65225d47be9f1d3254f2700c35c741894274520bd3c85a58e3461eeb22ce0023b40cad0e15a353cf31a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8726.exe
Filesize
711KB

MD5
cdd7c2bbee64fa88989d249799a5c0f0

SHA1
84e92c4274680b07193dd3fe6a915b787152095f

SHA256
1675b2f95a50591dfb0f32d8515f644155cd107892b2ab4c41cf10f113b61507

SHA512
8683be6351ff8c1cbb4d7843b47d3a439f0d012617eb6a55d0aac20698f0d61a76cf38a3657c9e11a5efba05b6b129f490f7b3bdc4a3e323387113275881e2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap8726.exe
Filesize
711KB

MD5
cdd7c2bbee64fa88989d249799a5c0f0

SHA1
84e92c4274680b07193dd3fe6a915b787152095f

SHA256
1675b2f95a50591dfb0f32d8515f644155cd107892b2ab4c41cf10f113b61507

SHA512
8683be6351ff8c1cbb4d7843b47d3a439f0d012617eb6a55d0aac20698f0d61a76cf38a3657c9e11a5efba05b6b129f490f7b3bdc4a3e323387113275881e2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w79Eb05.exe
Filesize
383KB

MD5
125eb87085707c684923d5b0b1a5b03d

SHA1
8d1d6c7ce32496a326b6426ea5e6cc281727f7fd

SHA256
f039666b0d74154388cf40d5880e1690ec896ac34766e5a0d8151dade5ba53be

SHA512
4accdb6a52280da2392d72caaee582b8b3eaa87600ffbcd13554d6425fe70a4c8dd9bb5d2fac94ee0215bd3c851d2294e03b666a722cb8d429d5d22095e641d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w79Eb05.exe
Filesize
383KB

MD5
125eb87085707c684923d5b0b1a5b03d

SHA1
8d1d6c7ce32496a326b6426ea5e6cc281727f7fd

SHA256
f039666b0d74154388cf40d5880e1690ec896ac34766e5a0d8151dade5ba53be

SHA512
4accdb6a52280da2392d72caaee582b8b3eaa87600ffbcd13554d6425fe70a4c8dd9bb5d2fac94ee0215bd3c851d2294e03b666a722cb8d429d5d22095e641d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1910.exe
Filesize
352KB

MD5
54f08e0a689f0a23e41ed09ac158c1f7

SHA1
f327a14fe0807465a7ba2286513831ef1a9ff4a2

SHA256
281b463fc920c37207428a55e15d4dd44f0ea9c7c58551e5fec22098fc616590

SHA512
7122be0615168cdae9c3724b107edce699545dc2e78e57e8f8e5e438d2fe81c41f9c9246c9ff3c589f8747bb1396b4e4859af6837b5153baab5d5833a2731dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1910.exe
Filesize
352KB

MD5
54f08e0a689f0a23e41ed09ac158c1f7

SHA1
f327a14fe0807465a7ba2286513831ef1a9ff4a2

SHA256
281b463fc920c37207428a55e15d4dd44f0ea9c7c58551e5fec22098fc616590

SHA512
7122be0615168cdae9c3724b107edce699545dc2e78e57e8f8e5e438d2fe81c41f9c9246c9ff3c589f8747bb1396b4e4859af6837b5153baab5d5833a2731dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1204.exe
Filesize
11KB

MD5
f6c748db35c29339034a1672a6c02f79

SHA1
0c6423377f89c8e6d37aa3a6fbdbde986d161b72

SHA256
fec4ec9b89ae6ad25ad5dfc58c6455ffdeb8b1b436eb160cbee971500a2a1dd4

SHA512
99c98b2df9128892612c8fc33389e88e54e40b840a09c1eba0aae5c87ce84beb9d64f8bb8cd6b920d8c94b09a54a9fd40d5f7691cac7d1ac0f93c8b9370ff2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1204.exe
Filesize
11KB

MD5
f6c748db35c29339034a1672a6c02f79

SHA1
0c6423377f89c8e6d37aa3a6fbdbde986d161b72

SHA256
fec4ec9b89ae6ad25ad5dfc58c6455ffdeb8b1b436eb160cbee971500a2a1dd4

SHA512
99c98b2df9128892612c8fc33389e88e54e40b840a09c1eba0aae5c87ce84beb9d64f8bb8cd6b920d8c94b09a54a9fd40d5f7691cac7d1ac0f93c8b9370ff2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2109gZ.exe
Filesize
325KB

MD5
7658e20fa6847fcec138f8f22d2fa87f

SHA1
a2100ddee712162755dae87c16fa91571afb0cb5

SHA256
fdc8fff186144e5b78af568ddab0d43133dcb00c4bf7b2347c18b3a554ec45e2

SHA512
bd771e6ea6bbc240ffdd0132d520d5fa5bfc9a54a7698192b06c683c9b9cc37c559b89d1cf7781aecb644922e1d45843ee8dcfdcd46e22346cf6a46222691983

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2109gZ.exe
Filesize
325KB

MD5
7658e20fa6847fcec138f8f22d2fa87f

SHA1
a2100ddee712162755dae87c16fa91571afb0cb5

SHA256
fdc8fff186144e5b78af568ddab0d43133dcb00c4bf7b2347c18b3a554ec45e2

SHA512
bd771e6ea6bbc240ffdd0132d520d5fa5bfc9a54a7698192b06c683c9b9cc37c559b89d1cf7781aecb644922e1d45843ee8dcfdcd46e22346cf6a46222691983

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
dde52de9dda90800a3ac20cf9c056752

SHA1
54a6151216d9160b14baf6e6f0298a9a178f07e2

SHA256
b47962c1d05d402803ddb85f650fb45361a87e225674d4ae55db9db96b55acb5

SHA512
dff1c7fad5993f9924d5bfccf9077c6541311e553b27887a7f1c6560d4727287403a547d9271ccd2d12f28aa94a62fabdf405cff3248d30173d7d668dd3bbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
dde52de9dda90800a3ac20cf9c056752

SHA1
54a6151216d9160b14baf6e6f0298a9a178f07e2

SHA256
b47962c1d05d402803ddb85f650fb45361a87e225674d4ae55db9db96b55acb5

SHA512
dff1c7fad5993f9924d5bfccf9077c6541311e553b27887a7f1c6560d4727287403a547d9271ccd2d12f28aa94a62fabdf405cff3248d30173d7d668dd3bbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
dde52de9dda90800a3ac20cf9c056752

SHA1
54a6151216d9160b14baf6e6f0298a9a178f07e2

SHA256
b47962c1d05d402803ddb85f650fb45361a87e225674d4ae55db9db96b55acb5

SHA512
dff1c7fad5993f9924d5bfccf9077c6541311e553b27887a7f1c6560d4727287403a547d9271ccd2d12f28aa94a62fabdf405cff3248d30173d7d668dd3bbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
dde52de9dda90800a3ac20cf9c056752

SHA1
54a6151216d9160b14baf6e6f0298a9a178f07e2

SHA256
b47962c1d05d402803ddb85f650fb45361a87e225674d4ae55db9db96b55acb5

SHA512
dff1c7fad5993f9924d5bfccf9077c6541311e553b27887a7f1c6560d4727287403a547d9271ccd2d12f28aa94a62fabdf405cff3248d30173d7d668dd3bbed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
dde52de9dda90800a3ac20cf9c056752

SHA1
54a6151216d9160b14baf6e6f0298a9a178f07e2

SHA256
b47962c1d05d402803ddb85f650fb45361a87e225674d4ae55db9db96b55acb5

SHA512
dff1c7fad5993f9924d5bfccf9077c6541311e553b27887a7f1c6560d4727287403a547d9271ccd2d12f28aa94a62fabdf405cff3248d30173d7d668dd3bbed9

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/2628-1127-0x0000000008CA0000-0x0000000008D16000-memory.dmp

Filesize
472KB

Download
memory/2628-242-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-1134-0x0000000004740000-0x0000000004750000-memory.dmp

Filesize
64KB

Download
memory/2628-1133-0x0000000009080000-0x00000000095AC000-memory.dmp

Filesize
5.2MB

Download
memory/2628-1132-0x0000000004740000-0x0000000004750000-memory.dmp

Filesize
64KB

Download
memory/2628-1131-0x0000000004740000-0x0000000004750000-memory.dmp

Filesize
64KB

Download
memory/2628-1130-0x0000000004740000-0x0000000004750000-memory.dmp

Filesize
64KB

Download
memory/2628-1129-0x0000000008EB0000-0x0000000009072000-memory.dmp

Filesize
1.8MB

Download
memory/2628-1128-0x0000000008D30000-0x0000000008D80000-memory.dmp

Filesize
320KB

Download
memory/2628-1126-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/2628-1125-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/2628-1123-0x0000000004740000-0x0000000004750000-memory.dmp

Filesize
64KB

Download
memory/2628-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/2628-210-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-211-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-213-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-215-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-217-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-219-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-221-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-223-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-225-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-227-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/2628-229-0x0000000004740000-0x0000000004750000-memory.dmp

Filesize
64KB

Download
memory/2628-228-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-230-0x0000000004740000-0x0000000004750000-memory.dmp

Filesize
64KB

Download
memory/2628-232-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-234-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-236-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-238-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-240-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2628-244-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-246-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/2628-1119-0x0000000007920000-0x0000000007F38000-memory.dmp

Filesize
6.1MB

Download
memory/2628-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4700-161-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/4744-183-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-189-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-185-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-204-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4744-187-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-203-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4744-201-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4744-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4744-199-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4744-198-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4744-197-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-195-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4744-191-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-171-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-193-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-181-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-179-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-177-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-175-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-173-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4744-170-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4744-169-0x00000000073B0000-0x0000000007954000-memory.dmp

Filesize
5.6MB

Download
memory/4744-168-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/5016-1140-0x00000000009F0000-0x0000000000A22000-memory.dmp

Filesize
200KB

Download
memory/5016-1141-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download