amadey | 479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c

Analysis

max time kernel
130s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe
Size

1.0MB
MD5

527461187a917cb74cf3d3bd8c612c20
SHA1

3fa001e864c23052ebbdd298e13d5f44cc18afb1
SHA256

479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c
SHA512

2c9a58d8221eb7e22a319e64df4d93c4cc0575e76dc8870cfc04884fe5a330940346e2ff10f52289c6eaa6536e01715c22964cc2fa0bc8374a771287083025a9
SSDEEP

12288:VMrZy90bvy9wv5dYHgjsPgAvBe1x1BLdNdJ0T/2sb2m+GT+r2Ktc+E75U/z7cFFx:ky+ywv5Q1BGNL0Ssqe+rbLQybAx

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz8415.exev8862LL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8862LL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8862LL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8862LL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8862LL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8415.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8862LL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8862LL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8415.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2184-210-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-216-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-220-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-222-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-224-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-226-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-228-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-230-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-232-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-234-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-236-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-238-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-240-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-242-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-244-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral1/memory/2184-246-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y36CI10.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y36CI10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap8222.exezap2849.exezap8138.exetz8415.exev8862LL.exew76mu68.exexnMRV31.exey36CI10.exelegenda.exelegenda.exelegenda.exe

pid	process
404	zap8222.exe
116	zap2849.exe
3032	zap8138.exe
424	tz8415.exe
3772	v8862LL.exe
2184	w76mu68.exe
4448	xnMRV31.exe
3300	y36CI10.exe
2948	legenda.exe
4980	legenda.exe
4464	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2748 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2748	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz8415.exev8862LL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8415.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8862LL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8862LL.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8138.exe479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exezap8222.exezap2849.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8138.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8222.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8222.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2849.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8138.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

312 3772 WerFault.exe v8862LL.exe
1960 2184 WerFault.exe w76mu68.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2568 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8415.exev8862LL.exew76mu68.exexnMRV31.exe

pid process

424 tz8415.exe
424 tz8415.exe
3772 v8862LL.exe
3772 v8862LL.exe
2184 w76mu68.exe
2184 w76mu68.exe
4448 xnMRV31.exe
4448 xnMRV31.exe

pid	pid_target	process	target process
312	3772	WerFault.exe	v8862LL.exe
1960	2184	WerFault.exe	w76mu68.exe

pid	process
2568	schtasks.exe

pid	process
424	tz8415.exe
424	tz8415.exe
3772	v8862LL.exe
3772	v8862LL.exe
2184	w76mu68.exe
2184	w76mu68.exe
4448	xnMRV31.exe
4448	xnMRV31.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8415.exev8862LL.exew76mu68.exexnMRV31.exe

description	pid	process
Token: SeDebugPrivilege	424	tz8415.exe
Token: SeDebugPrivilege	3772	v8862LL.exe
Token: SeDebugPrivilege	2184	w76mu68.exe
Token: SeDebugPrivilege	4448	xnMRV31.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exezap8222.exezap2849.exezap8138.exey36CI10.exelegenda.execmd.exe

description	pid	process	target process
PID 3580 wrote to memory of 404	3580	479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe	zap8222.exe
PID 3580 wrote to memory of 404	3580	479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe	zap8222.exe
PID 3580 wrote to memory of 404	3580	479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe	zap8222.exe
PID 404 wrote to memory of 116	404	zap8222.exe	zap2849.exe
PID 404 wrote to memory of 116	404	zap8222.exe	zap2849.exe
PID 404 wrote to memory of 116	404	zap8222.exe	zap2849.exe
PID 116 wrote to memory of 3032	116	zap2849.exe	zap8138.exe
PID 116 wrote to memory of 3032	116	zap2849.exe	zap8138.exe
PID 116 wrote to memory of 3032	116	zap2849.exe	zap8138.exe
PID 3032 wrote to memory of 424	3032	zap8138.exe	tz8415.exe
PID 3032 wrote to memory of 424	3032	zap8138.exe	tz8415.exe
PID 3032 wrote to memory of 3772	3032	zap8138.exe	v8862LL.exe
PID 3032 wrote to memory of 3772	3032	zap8138.exe	v8862LL.exe
PID 3032 wrote to memory of 3772	3032	zap8138.exe	v8862LL.exe
PID 116 wrote to memory of 2184	116	zap2849.exe	w76mu68.exe
PID 116 wrote to memory of 2184	116	zap2849.exe	w76mu68.exe
PID 116 wrote to memory of 2184	116	zap2849.exe	w76mu68.exe
PID 404 wrote to memory of 4448	404	zap8222.exe	xnMRV31.exe
PID 404 wrote to memory of 4448	404	zap8222.exe	xnMRV31.exe
PID 404 wrote to memory of 4448	404	zap8222.exe	xnMRV31.exe
PID 3580 wrote to memory of 3300	3580	479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe	y36CI10.exe
PID 3580 wrote to memory of 3300	3580	479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe	y36CI10.exe
PID 3580 wrote to memory of 3300	3580	479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe	y36CI10.exe
PID 3300 wrote to memory of 2948	3300	y36CI10.exe	legenda.exe
PID 3300 wrote to memory of 2948	3300	y36CI10.exe	legenda.exe
PID 3300 wrote to memory of 2948	3300	y36CI10.exe	legenda.exe
PID 2948 wrote to memory of 2568	2948	legenda.exe	schtasks.exe
PID 2948 wrote to memory of 2568	2948	legenda.exe	schtasks.exe
PID 2948 wrote to memory of 2568	2948	legenda.exe	schtasks.exe
PID 2948 wrote to memory of 444	2948	legenda.exe	cmd.exe
PID 2948 wrote to memory of 444	2948	legenda.exe	cmd.exe
PID 2948 wrote to memory of 444	2948	legenda.exe	cmd.exe
PID 444 wrote to memory of 4376	444	cmd.exe	cmd.exe
PID 444 wrote to memory of 4376	444	cmd.exe	cmd.exe
PID 444 wrote to memory of 4376	444	cmd.exe	cmd.exe
PID 444 wrote to memory of 4088	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 4088	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 4088	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 2780	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 2780	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 2780	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 4472	444	cmd.exe	cmd.exe
PID 444 wrote to memory of 4472	444	cmd.exe	cmd.exe
PID 444 wrote to memory of 4472	444	cmd.exe	cmd.exe
PID 444 wrote to memory of 5104	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 5104	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 5104	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 4660	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 4660	444	cmd.exe	cacls.exe
PID 444 wrote to memory of 4660	444	cmd.exe	cacls.exe
PID 2948 wrote to memory of 2748	2948	legenda.exe	rundll32.exe
PID 2948 wrote to memory of 2748	2948	legenda.exe	rundll32.exe
PID 2948 wrote to memory of 2748	2948	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe
"C:\Users\Admin\AppData\Local\Temp\479b6101ebe0c539cff3113d90f21901c96723158ce128aa2bc426edc0e2200c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8222.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8222.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2849.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2849.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:116

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8138.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8138.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8415.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8415.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8862LL.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8862LL.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 1084
6⤵
- Program crash
PID:312

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76mu68.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76mu68.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1352
5⤵
- Program crash
PID:1960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xnMRV31.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xnMRV31.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y36CI10.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y36CI10.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4376

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4088

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4472

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4660

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3772 -ip 3772
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2184 -ip 2184
1⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y36CI10.exe
Filesize
235KB

MD5
017e3054e007d24a958e7251b5edbc95

SHA1
bd33fd6ae73369766a33a4fa1e977acab9b2344c

SHA256
3c62092e3cd9fe52d46304bdfb898ce82349631666373754b045aa8aba2642ef

SHA512
d3f7d7e721cd4843e1fe61c770341f618b700b9c86c0bf9406ead28b5009e4077a9187ec610781a7c8abf0799bf2755994d8f19ca8c0b9c06c7c5136c4092e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y36CI10.exe
Filesize
235KB

MD5
017e3054e007d24a958e7251b5edbc95

SHA1
bd33fd6ae73369766a33a4fa1e977acab9b2344c

SHA256
3c62092e3cd9fe52d46304bdfb898ce82349631666373754b045aa8aba2642ef

SHA512
d3f7d7e721cd4843e1fe61c770341f618b700b9c86c0bf9406ead28b5009e4077a9187ec610781a7c8abf0799bf2755994d8f19ca8c0b9c06c7c5136c4092e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8222.exe
Filesize
854KB

MD5
e6b53da275e30540e799bc56b554583d

SHA1
557aac8945bdc752869e8dc90715d17f355a9a3c

SHA256
6f82bacfd8c56438224a5d85e9870d9248d8f9de1aea3bab856375aee3206567

SHA512
c046d6fef8e078abff0cb9a79f291bfc73430224dcb67635d2e11bbf5cec3cbae78a94791c8c104f4f9d80b39a509eb1ca0ed33ca1cf5493b13fcec879ea2b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8222.exe
Filesize
854KB

MD5
e6b53da275e30540e799bc56b554583d

SHA1
557aac8945bdc752869e8dc90715d17f355a9a3c

SHA256
6f82bacfd8c56438224a5d85e9870d9248d8f9de1aea3bab856375aee3206567

SHA512
c046d6fef8e078abff0cb9a79f291bfc73430224dcb67635d2e11bbf5cec3cbae78a94791c8c104f4f9d80b39a509eb1ca0ed33ca1cf5493b13fcec879ea2b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xnMRV31.exe
Filesize
175KB

MD5
3b5169d1528c7bfd189c3e50541bfa7a

SHA1
f21c9426c23ca6f99a196fa925540c40df01d77c

SHA256
a5e4c40b0a3dbe946aa65de05a00c446a333d205b60e51c43ff7d3d5c93a4632

SHA512
27ac88357c392894fc27f29eddd3e112ea7fbfb4df4796aeb39ab6b1bdb6f790011bd36938839a49433ac0dad5350add10855d66a802e824ef955c9e77f7231c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xnMRV31.exe
Filesize
175KB

MD5
3b5169d1528c7bfd189c3e50541bfa7a

SHA1
f21c9426c23ca6f99a196fa925540c40df01d77c

SHA256
a5e4c40b0a3dbe946aa65de05a00c446a333d205b60e51c43ff7d3d5c93a4632

SHA512
27ac88357c392894fc27f29eddd3e112ea7fbfb4df4796aeb39ab6b1bdb6f790011bd36938839a49433ac0dad5350add10855d66a802e824ef955c9e77f7231c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2849.exe
Filesize
712KB

MD5
213244c1639f848c8149b1c8f74e3637

SHA1
45bbf2985d07ffc86e9c62d1d584ec6e938fdd6c

SHA256
d040a9f95cd490e12d7a1541266effb6a57fe74c481d5de999030a96c3e57660

SHA512
da2884d33039ae4cd406bfb10cc7b600c179f24006e852a679a65cced56137209e6e4a7cb6427ffa76e56ec4ff04092d5d9736f4aafa79e8010ad8411bedc25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2849.exe
Filesize
712KB

MD5
213244c1639f848c8149b1c8f74e3637

SHA1
45bbf2985d07ffc86e9c62d1d584ec6e938fdd6c

SHA256
d040a9f95cd490e12d7a1541266effb6a57fe74c481d5de999030a96c3e57660

SHA512
da2884d33039ae4cd406bfb10cc7b600c179f24006e852a679a65cced56137209e6e4a7cb6427ffa76e56ec4ff04092d5d9736f4aafa79e8010ad8411bedc25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76mu68.exe
Filesize
384KB

MD5
5ba38af198d0cc2cbeba855bcc39cdf2

SHA1
8283084256c943f94831ccdca53985df94af89b9

SHA256
1de070ae6ab7358178d048c937472afb307523cefa648503586610313084a8bd

SHA512
88a41d463ecf460de26a3d14e9b303e63d43454bc06afea93ca7cfe58ee90e0bf3bedd76be3abf7ecb0f6db27bc0d22b504cdd85910549656706a577b679b137

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76mu68.exe
Filesize
384KB

MD5
5ba38af198d0cc2cbeba855bcc39cdf2

SHA1
8283084256c943f94831ccdca53985df94af89b9

SHA256
1de070ae6ab7358178d048c937472afb307523cefa648503586610313084a8bd

SHA512
88a41d463ecf460de26a3d14e9b303e63d43454bc06afea93ca7cfe58ee90e0bf3bedd76be3abf7ecb0f6db27bc0d22b504cdd85910549656706a577b679b137

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8138.exe
Filesize
353KB

MD5
445bc744190560166f77437b8d8f2a4e

SHA1
1ea1848dfd77b27186b2dc619039da7a3046ef10

SHA256
8fadae06638e5488c1cdba88fee285738e322f0bfb1b2ffe6bb958ed2e454f04

SHA512
a3ea4a8a9c9837e45fac0ad10e84e8dfee830a33d5121292e633cb2e9acdf54bfe9565cb6fccb1a931024c3084715e625d1b41f81a6615ca0a214c420c778ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8138.exe
Filesize
353KB

MD5
445bc744190560166f77437b8d8f2a4e

SHA1
1ea1848dfd77b27186b2dc619039da7a3046ef10

SHA256
8fadae06638e5488c1cdba88fee285738e322f0bfb1b2ffe6bb958ed2e454f04

SHA512
a3ea4a8a9c9837e45fac0ad10e84e8dfee830a33d5121292e633cb2e9acdf54bfe9565cb6fccb1a931024c3084715e625d1b41f81a6615ca0a214c420c778ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8415.exe
Filesize
11KB

MD5
5351d5b837b1c194f04c00cdd4af2e8d

SHA1
d82acdc0184300435e358c1733b01701f72fd732

SHA256
4de455193d3dbaf0b0262b2cd3d553da7cd1c314d27e8abb1619447d5cfd0301

SHA512
859b193f058d77f4922fcd8a539fb72146e70e48e0582ce927b5cac95dfd190236ffa92ea35db23bd35a3a6100308fb1a86963a906b420a4c8a303017a5caa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8415.exe
Filesize
11KB

MD5
5351d5b837b1c194f04c00cdd4af2e8d

SHA1
d82acdc0184300435e358c1733b01701f72fd732

SHA256
4de455193d3dbaf0b0262b2cd3d553da7cd1c314d27e8abb1619447d5cfd0301

SHA512
859b193f058d77f4922fcd8a539fb72146e70e48e0582ce927b5cac95dfd190236ffa92ea35db23bd35a3a6100308fb1a86963a906b420a4c8a303017a5caa3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8862LL.exe
Filesize
327KB

MD5
ffcf89719cf74aa10fe257a49e0c0a6d

SHA1
a873bda389c5b91a7c1bb532d687c08a8fb73e3e

SHA256
b17a69979b86fe4ed752b1bc9b38a4f4eca31c869cd09a0b2ae4f6119285665e

SHA512
634c1a91843bca8fcdefc8afce28cabd0aee77e3d6592c04af8f0b193f9b2e976e56c948917296c459b7301f28631f361c37760c9bfd5cfc85a263b25b92f169

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8862LL.exe
Filesize
327KB

MD5
ffcf89719cf74aa10fe257a49e0c0a6d

SHA1
a873bda389c5b91a7c1bb532d687c08a8fb73e3e

SHA256
b17a69979b86fe4ed752b1bc9b38a4f4eca31c869cd09a0b2ae4f6119285665e

SHA512
634c1a91843bca8fcdefc8afce28cabd0aee77e3d6592c04af8f0b193f9b2e976e56c948917296c459b7301f28631f361c37760c9bfd5cfc85a263b25b92f169

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
017e3054e007d24a958e7251b5edbc95

SHA1
bd33fd6ae73369766a33a4fa1e977acab9b2344c

SHA256
3c62092e3cd9fe52d46304bdfb898ce82349631666373754b045aa8aba2642ef

SHA512
d3f7d7e721cd4843e1fe61c770341f618b700b9c86c0bf9406ead28b5009e4077a9187ec610781a7c8abf0799bf2755994d8f19ca8c0b9c06c7c5136c4092e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
017e3054e007d24a958e7251b5edbc95

SHA1
bd33fd6ae73369766a33a4fa1e977acab9b2344c

SHA256
3c62092e3cd9fe52d46304bdfb898ce82349631666373754b045aa8aba2642ef

SHA512
d3f7d7e721cd4843e1fe61c770341f618b700b9c86c0bf9406ead28b5009e4077a9187ec610781a7c8abf0799bf2755994d8f19ca8c0b9c06c7c5136c4092e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
017e3054e007d24a958e7251b5edbc95

SHA1
bd33fd6ae73369766a33a4fa1e977acab9b2344c

SHA256
3c62092e3cd9fe52d46304bdfb898ce82349631666373754b045aa8aba2642ef

SHA512
d3f7d7e721cd4843e1fe61c770341f618b700b9c86c0bf9406ead28b5009e4077a9187ec610781a7c8abf0799bf2755994d8f19ca8c0b9c06c7c5136c4092e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
017e3054e007d24a958e7251b5edbc95

SHA1
bd33fd6ae73369766a33a4fa1e977acab9b2344c

SHA256
3c62092e3cd9fe52d46304bdfb898ce82349631666373754b045aa8aba2642ef

SHA512
d3f7d7e721cd4843e1fe61c770341f618b700b9c86c0bf9406ead28b5009e4077a9187ec610781a7c8abf0799bf2755994d8f19ca8c0b9c06c7c5136c4092e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
017e3054e007d24a958e7251b5edbc95

SHA1
bd33fd6ae73369766a33a4fa1e977acab9b2344c

SHA256
3c62092e3cd9fe52d46304bdfb898ce82349631666373754b045aa8aba2642ef

SHA512
d3f7d7e721cd4843e1fe61c770341f618b700b9c86c0bf9406ead28b5009e4077a9187ec610781a7c8abf0799bf2755994d8f19ca8c0b9c06c7c5136c4092e34

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/424-161-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2184-1127-0x0000000008CA0000-0x0000000008D16000-memory.dmp

Filesize
472KB

Download
memory/2184-244-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-1136-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2184-1133-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2184-1132-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2184-1131-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2184-1130-0x0000000008F80000-0x00000000094AC000-memory.dmp

Filesize
5.2MB

Download
memory/2184-1129-0x0000000008DB0000-0x0000000008F72000-memory.dmp

Filesize
1.8MB

Download
memory/2184-1128-0x0000000008D30000-0x0000000008D80000-memory.dmp

Filesize
320KB

Download
memory/2184-1126-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/2184-1125-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/2184-209-0x0000000002CA0000-0x0000000002CEB000-memory.dmp

Filesize
300KB

Download
memory/2184-213-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2184-210-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-215-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2184-216-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-211-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/2184-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-220-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-222-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-224-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-226-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-228-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-230-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-232-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-234-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-236-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-238-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-240-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-242-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-1123-0x00000000081D0000-0x000000000820C000-memory.dmp

Filesize
240KB

Download
memory/2184-246-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2184-1119-0x0000000007930000-0x0000000007F48000-memory.dmp

Filesize
6.1MB

Download
memory/2184-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/2184-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2184-1122-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/3772-184-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-192-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-194-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-170-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-204-0x0000000000400000-0x0000000002B80000-memory.dmp

Filesize
39.5MB

Download
memory/3772-203-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/3772-201-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/3772-202-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/3772-199-0x0000000000400000-0x0000000002B80000-memory.dmp

Filesize
39.5MB

Download
memory/3772-198-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-196-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-186-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-167-0x0000000007130000-0x00000000076D4000-memory.dmp

Filesize
5.6MB

Download
memory/3772-190-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-188-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-182-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-180-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-178-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-173-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-176-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-174-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/3772-172-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/3772-168-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/3772-169-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/4448-1141-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4448-1140-0x0000000000330000-0x0000000000362000-memory.dmp

Filesize
200KB

Download