Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:13
Static task
static1
Behavioral task
behavioral1
Sample
315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe
Resource
win10v2004-20230221-en
General
-
Target
315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe
-
Size
1.0MB
-
MD5
2411653655b03e21b87a7684d6ab1539
-
SHA1
2a296c22ca1f499fb8735fcae8c2be6064a4cbcf
-
SHA256
315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec
-
SHA512
f8e3fd805951a0a9d9b47789f9d118c60bc2b954a634cf6a727f88e5e076c33f4302543857f87d357e6a92f1b4d46be02f5df68a537daced74b36eab0f667d26
-
SSDEEP
24576:3y5Hm2RBA5C5+L/sb/perCZcbxEhP2H9M/U1ef:CN8tkb/peWONc2H9a
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
fort
193.233.20.33:4125
-
auth_value
5ea5673154a804d8c80f565f7276f720
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
raccoon
301867536c206e3dae52e6d17c16cc9b
http://213.226.100.108/
Extracted
aurora
212.87.204.93:8081
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" tz0780.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" tz0780.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" tz0780.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" tz0780.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" v4784DE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" v4784DE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection tz0780.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection v4784DE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" v4784DE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" v4784DE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" v4784DE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" tz0780.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral2/memory/1696-209-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-210-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-212-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-214-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-216-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-218-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-220-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-222-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-224-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-226-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-228-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-230-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-232-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-234-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-236-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-238-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-240-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-242-0x0000000007160000-0x000000000719E000-memory.dmp family_redline behavioral2/memory/1696-1127-0x0000000007350000-0x0000000007360000-memory.dmp family_redline behavioral2/memory/1696-1128-0x0000000007350000-0x0000000007360000-memory.dmp family_redline -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation y87qc67.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation legenda.exe -
Executes dropped EXE 13 IoCs
pid Process 3808 zap6867.exe 4604 zap4443.exe 4328 zap8822.exe 3632 tz0780.exe 3732 v4784DE.exe 1696 w10PR43.exe 1556 xeRXv17.exe 1832 y87qc67.exe 3372 legenda.exe 3272 legenda.exe 3860 2.exe 4884 2023.exe 400 legenda.exe -
Loads dropped DLL 1 IoCs
pid Process 4048 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features v4784DE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" v4784DE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" tz0780.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zap4443.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zap4443.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zap8822.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" zap8822.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zap6867.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zap6867.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3396 1696 WerFault.exe 90 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4776 schtasks.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1436 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3632 tz0780.exe 3632 tz0780.exe 3732 v4784DE.exe 3732 v4784DE.exe 1696 w10PR43.exe 1696 w10PR43.exe 1556 xeRXv17.exe 1556 xeRXv17.exe 1324 powershell.exe 1324 powershell.exe 5080 powershell.exe 5080 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3632 tz0780.exe Token: SeDebugPrivilege 3732 v4784DE.exe Token: SeDebugPrivilege 1696 w10PR43.exe Token: SeDebugPrivilege 1556 xeRXv17.exe Token: SeIncreaseQuotaPrivilege 4500 WMIC.exe Token: SeSecurityPrivilege 4500 WMIC.exe Token: SeTakeOwnershipPrivilege 4500 WMIC.exe Token: SeLoadDriverPrivilege 4500 WMIC.exe Token: SeSystemProfilePrivilege 4500 WMIC.exe Token: SeSystemtimePrivilege 4500 WMIC.exe Token: SeProfSingleProcessPrivilege 4500 WMIC.exe Token: SeIncBasePriorityPrivilege 4500 WMIC.exe Token: SeCreatePagefilePrivilege 4500 WMIC.exe Token: SeBackupPrivilege 4500 WMIC.exe Token: SeRestorePrivilege 4500 WMIC.exe Token: SeShutdownPrivilege 4500 WMIC.exe Token: SeDebugPrivilege 4500 WMIC.exe Token: SeSystemEnvironmentPrivilege 4500 WMIC.exe Token: SeRemoteShutdownPrivilege 4500 WMIC.exe Token: SeUndockPrivilege 4500 WMIC.exe Token: SeManageVolumePrivilege 4500 WMIC.exe Token: 33 4500 WMIC.exe Token: 34 4500 WMIC.exe Token: 35 4500 WMIC.exe Token: 36 4500 WMIC.exe Token: SeIncreaseQuotaPrivilege 4500 WMIC.exe Token: SeSecurityPrivilege 4500 WMIC.exe Token: SeTakeOwnershipPrivilege 4500 WMIC.exe Token: SeLoadDriverPrivilege 4500 WMIC.exe Token: SeSystemProfilePrivilege 4500 WMIC.exe Token: SeSystemtimePrivilege 4500 WMIC.exe Token: SeProfSingleProcessPrivilege 4500 WMIC.exe Token: SeIncBasePriorityPrivilege 4500 WMIC.exe Token: SeCreatePagefilePrivilege 4500 WMIC.exe Token: SeBackupPrivilege 4500 WMIC.exe Token: SeRestorePrivilege 4500 WMIC.exe Token: SeShutdownPrivilege 4500 WMIC.exe Token: SeDebugPrivilege 4500 WMIC.exe Token: SeSystemEnvironmentPrivilege 4500 WMIC.exe Token: SeRemoteShutdownPrivilege 4500 WMIC.exe Token: SeUndockPrivilege 4500 WMIC.exe Token: SeManageVolumePrivilege 4500 WMIC.exe Token: 33 4500 WMIC.exe Token: 34 4500 WMIC.exe Token: 35 4500 WMIC.exe Token: 36 4500 WMIC.exe Token: SeIncreaseQuotaPrivilege 2144 wmic.exe Token: SeSecurityPrivilege 2144 wmic.exe Token: SeTakeOwnershipPrivilege 2144 wmic.exe Token: SeLoadDriverPrivilege 2144 wmic.exe Token: SeSystemProfilePrivilege 2144 wmic.exe Token: SeSystemtimePrivilege 2144 wmic.exe Token: SeProfSingleProcessPrivilege 2144 wmic.exe Token: SeIncBasePriorityPrivilege 2144 wmic.exe Token: SeCreatePagefilePrivilege 2144 wmic.exe Token: SeBackupPrivilege 2144 wmic.exe Token: SeRestorePrivilege 2144 wmic.exe Token: SeShutdownPrivilege 2144 wmic.exe Token: SeDebugPrivilege 2144 wmic.exe Token: SeSystemEnvironmentPrivilege 2144 wmic.exe Token: SeRemoteShutdownPrivilege 2144 wmic.exe Token: SeUndockPrivilege 2144 wmic.exe Token: SeManageVolumePrivilege 2144 wmic.exe Token: 33 2144 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 3808 1608 315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe 82 PID 1608 wrote to memory of 3808 1608 315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe 82 PID 1608 wrote to memory of 3808 1608 315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe 82 PID 3808 wrote to memory of 4604 3808 zap6867.exe 83 PID 3808 wrote to memory of 4604 3808 zap6867.exe 83 PID 3808 wrote to memory of 4604 3808 zap6867.exe 83 PID 4604 wrote to memory of 4328 4604 zap4443.exe 84 PID 4604 wrote to memory of 4328 4604 zap4443.exe 84 PID 4604 wrote to memory of 4328 4604 zap4443.exe 84 PID 4328 wrote to memory of 3632 4328 zap8822.exe 85 PID 4328 wrote to memory of 3632 4328 zap8822.exe 85 PID 4328 wrote to memory of 3732 4328 zap8822.exe 89 PID 4328 wrote to memory of 3732 4328 zap8822.exe 89 PID 4328 wrote to memory of 3732 4328 zap8822.exe 89 PID 4604 wrote to memory of 1696 4604 zap4443.exe 90 PID 4604 wrote to memory of 1696 4604 zap4443.exe 90 PID 4604 wrote to memory of 1696 4604 zap4443.exe 90 PID 3808 wrote to memory of 1556 3808 zap6867.exe 98 PID 3808 wrote to memory of 1556 3808 zap6867.exe 98 PID 3808 wrote to memory of 1556 3808 zap6867.exe 98 PID 1608 wrote to memory of 1832 1608 315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe 99 PID 1608 wrote to memory of 1832 1608 315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe 99 PID 1608 wrote to memory of 1832 1608 315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe 99 PID 1832 wrote to memory of 3372 1832 y87qc67.exe 100 PID 1832 wrote to memory of 3372 1832 y87qc67.exe 100 PID 1832 wrote to memory of 3372 1832 y87qc67.exe 100 PID 3372 wrote to memory of 4776 3372 legenda.exe 101 PID 3372 wrote to memory of 4776 3372 legenda.exe 101 PID 3372 wrote to memory of 4776 3372 legenda.exe 101 PID 3372 wrote to memory of 2584 3372 legenda.exe 103 PID 3372 wrote to memory of 2584 3372 legenda.exe 103 PID 3372 wrote to memory of 2584 3372 legenda.exe 103 PID 2584 wrote to memory of 4748 2584 cmd.exe 105 PID 2584 wrote to memory of 4748 2584 cmd.exe 105 PID 2584 wrote to memory of 4748 2584 cmd.exe 105 PID 2584 wrote to memory of 1720 2584 cmd.exe 106 PID 2584 wrote to memory of 1720 2584 cmd.exe 106 PID 2584 wrote to memory of 1720 2584 cmd.exe 106 PID 2584 wrote to memory of 1088 2584 cmd.exe 107 PID 2584 wrote to memory of 1088 2584 cmd.exe 107 PID 2584 wrote to memory of 1088 2584 cmd.exe 107 PID 2584 wrote to memory of 5096 2584 cmd.exe 108 PID 2584 wrote to memory of 5096 2584 cmd.exe 108 PID 2584 wrote to memory of 5096 2584 cmd.exe 108 PID 2584 wrote to memory of 5040 2584 cmd.exe 109 PID 2584 wrote to memory of 5040 2584 cmd.exe 109 PID 2584 wrote to memory of 5040 2584 cmd.exe 109 PID 2584 wrote to memory of 1804 2584 cmd.exe 110 PID 2584 wrote to memory of 1804 2584 cmd.exe 110 PID 2584 wrote to memory of 1804 2584 cmd.exe 110 PID 3372 wrote to memory of 4048 3372 legenda.exe 112 PID 3372 wrote to memory of 4048 3372 legenda.exe 112 PID 3372 wrote to memory of 4048 3372 legenda.exe 112 PID 3372 wrote to memory of 3860 3372 legenda.exe 113 PID 3372 wrote to memory of 3860 3372 legenda.exe 113 PID 3372 wrote to memory of 3860 3372 legenda.exe 113 PID 3372 wrote to memory of 4884 3372 legenda.exe 114 PID 3372 wrote to memory of 4884 3372 legenda.exe 114 PID 3372 wrote to memory of 4884 3372 legenda.exe 114 PID 4884 wrote to memory of 4512 4884 2023.exe 115 PID 4884 wrote to memory of 4512 4884 2023.exe 115 PID 4884 wrote to memory of 4512 4884 2023.exe 115 PID 4512 wrote to memory of 4500 4512 cmd.exe 117 PID 4512 wrote to memory of 4500 4512 cmd.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe"C:\Users\Admin\AppData\Local\Temp\315210b2e4a9d0e072bae919377ff43aa9e8834313335cabef4a048b48a8bbec.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6867.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap6867.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4443.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4443.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8822.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8822.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0780.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz0780.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4784DE.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4784DE.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w10PR43.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w10PR43.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 19685⤵
- Program crash
PID:3396
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeRXv17.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xeRXv17.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y87qc67.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y87qc67.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F4⤵
- Creates scheduled task(s)
PID:4776
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4748
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:N"5⤵PID:1720
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:R" /E5⤵PID:1088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:5096
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:N"5⤵PID:5040
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:R" /E5⤵PID:1804
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4048
-
-
C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe"C:\Users\Admin\AppData\Local\Temp\1000188001\2.exe"4⤵
- Executes dropped EXE
PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\1000191001\2023.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\2023.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "wmic csproduct get uuid"5⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:3376
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵PID:3280
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:3236
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.execmd "/c " systeminfo5⤵PID:424
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:1436
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC\""5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx\""5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL\""5⤵PID:4072
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1696 -ip 16961⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:3272
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
Filesize
15KB
MD582d55fbdaf8f1b03150a9096316eca69
SHA145e045997ce447e565111d41096a150d494fd199
SHA2565c7494c0342c823f11bad9a56d5d4a3a81cc9bd45f4696550b95f21e6a988567
SHA512f1d6a21dccbe79d94940260b418c2a6ef1c9d04929a3bdeb87a127d716078fb55da730af71e1a0fc20ef0361fc7929a26f488c4070940c6a87a4565a2a74ba74
-
Filesize
110KB
MD5bc338e23e5411697561306eabb29bd9c
SHA12503a1d824af32214f3102d6e0d2e52d439b91f8
SHA256fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379
SHA512f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254
-
Filesize
110KB
MD5bc338e23e5411697561306eabb29bd9c
SHA12503a1d824af32214f3102d6e0d2e52d439b91f8
SHA256fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379
SHA512f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254
-
Filesize
110KB
MD5bc338e23e5411697561306eabb29bd9c
SHA12503a1d824af32214f3102d6e0d2e52d439b91f8
SHA256fc89f7167628e95935070f6a72c859da69a91655e72c4d8c8e31fbac73c2d379
SHA512f5fa3d4f0d611225393f9ff33de6657c1c47c89e11695b44fd35c840ea6ed0545c7b1da7ce4009d8cca76cf9587cb1c4586c992cb646d4cbeb816ef72e8c9254
-
Filesize
3.1MB
MD5027a60b4337dd0847d0414aa8719ffec
SHA180f78f880e891adfa8f71fb1447ed19734077062
SHA2563dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168
SHA512009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d
-
Filesize
3.1MB
MD5027a60b4337dd0847d0414aa8719ffec
SHA180f78f880e891adfa8f71fb1447ed19734077062
SHA2563dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168
SHA512009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d
-
Filesize
3.1MB
MD5027a60b4337dd0847d0414aa8719ffec
SHA180f78f880e891adfa8f71fb1447ed19734077062
SHA2563dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168
SHA512009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d
-
Filesize
236KB
MD50fca7d967f70f51ebd29080a49c14c00
SHA1fe440b91f1b3f958d588a5ac0b5509231073e737
SHA256edf7388779bbafbd11cf6ef56dfe16ee03787554fb009783ef2958a7fa5f4b96
SHA512104558fe68d0bdcf7e20fa415287217402e913fb6b8c54dda9461fc6eb7c45e9169f3e75b877094ba7a9d6389aba2bd6a52db4e1fbc94a49be400b308fb3eda1
-
Filesize
236KB
MD50fca7d967f70f51ebd29080a49c14c00
SHA1fe440b91f1b3f958d588a5ac0b5509231073e737
SHA256edf7388779bbafbd11cf6ef56dfe16ee03787554fb009783ef2958a7fa5f4b96
SHA512104558fe68d0bdcf7e20fa415287217402e913fb6b8c54dda9461fc6eb7c45e9169f3e75b877094ba7a9d6389aba2bd6a52db4e1fbc94a49be400b308fb3eda1
-
Filesize
852KB
MD55bb5459b73512a04cabfa9b990fdc48f
SHA1115cb80364d1fb2654dc68ac954d48651df1872f
SHA2567443521372931ef3b8436c4250147ecb05a4135ee85ffca8aa3c1935659c095d
SHA512efcb2443ababd16997005addf83400dd0439e0db7ebe37ee91c1bbf040d2194486fd5e00a7e4d2219d00f5bbed66da1d85dc77a1437adfb2f38259371e1fffdf
-
Filesize
852KB
MD55bb5459b73512a04cabfa9b990fdc48f
SHA1115cb80364d1fb2654dc68ac954d48651df1872f
SHA2567443521372931ef3b8436c4250147ecb05a4135ee85ffca8aa3c1935659c095d
SHA512efcb2443ababd16997005addf83400dd0439e0db7ebe37ee91c1bbf040d2194486fd5e00a7e4d2219d00f5bbed66da1d85dc77a1437adfb2f38259371e1fffdf
-
Filesize
175KB
MD5bd71bdbe08a695b14d15021fb0d289c8
SHA10b72f7a2560db6be98b3e1efe20a50cc4c204b77
SHA25631651c6b1434701d54e31f3263cae9e87914d43f2f52e53d6479fd028a3a83ae
SHA5129107d07ff91d80c3fb205eb3add953feda52b182fd9257ed1e950de6f14072f9815142661b4a34fab7a1a12db7e202cc1a92486ebae79fe2dac7c76c8b9e94ca
-
Filesize
175KB
MD5bd71bdbe08a695b14d15021fb0d289c8
SHA10b72f7a2560db6be98b3e1efe20a50cc4c204b77
SHA25631651c6b1434701d54e31f3263cae9e87914d43f2f52e53d6479fd028a3a83ae
SHA5129107d07ff91d80c3fb205eb3add953feda52b182fd9257ed1e950de6f14072f9815142661b4a34fab7a1a12db7e202cc1a92486ebae79fe2dac7c76c8b9e94ca
-
Filesize
710KB
MD504bf709e682340396abc199082ab9b84
SHA12dccee10e7246a3d9c2b2999193e91c342f4e122
SHA2568d09aa6f6bd9d989e7f208946988d54e50b6d12e07b56fde93ee786f56b07af8
SHA5121be864b9231adc96f7857e87556d49befe393602139b7218e911e2a35247118f1a2da8e0b86ded4e66c4272301ff285556e79a06dc52f12d99835a36f81d7298
-
Filesize
710KB
MD504bf709e682340396abc199082ab9b84
SHA12dccee10e7246a3d9c2b2999193e91c342f4e122
SHA2568d09aa6f6bd9d989e7f208946988d54e50b6d12e07b56fde93ee786f56b07af8
SHA5121be864b9231adc96f7857e87556d49befe393602139b7218e911e2a35247118f1a2da8e0b86ded4e66c4272301ff285556e79a06dc52f12d99835a36f81d7298
-
Filesize
384KB
MD590e704a3a764474efff25d05578d9660
SHA1959cf8fce98c7b5217c0ad0d3a51ad1a459741c8
SHA256986770d236125b5112c995dae85a505745f2405208c281c9c8fe54509fa24883
SHA51264fbe7fc8032fbb86c574872f18bc49749f7d63e963e3527c579451d1df11754daaafd9c213a8394bf285e665f0e69cbb24f5de676b22f6d33cc07bc31b7dc18
-
Filesize
384KB
MD590e704a3a764474efff25d05578d9660
SHA1959cf8fce98c7b5217c0ad0d3a51ad1a459741c8
SHA256986770d236125b5112c995dae85a505745f2405208c281c9c8fe54509fa24883
SHA51264fbe7fc8032fbb86c574872f18bc49749f7d63e963e3527c579451d1df11754daaafd9c213a8394bf285e665f0e69cbb24f5de676b22f6d33cc07bc31b7dc18
-
Filesize
351KB
MD5945ee709ebc386a14a936cef0ee47478
SHA1258c9b470b4708ce6649c8ec4b189e77f84487db
SHA2567cb90341d5f6386c1db892b23d6acde98bc59207979df68973d83f0d4ca70b0f
SHA51226a052dbda603d206e9dcbed8b950a89f16a5b36d5eabf7b3afad3c1aa230ea8ab7887496dc6461cf98d637342ed1d534c922dc04c4734669bac3b1e799c5aa1
-
Filesize
351KB
MD5945ee709ebc386a14a936cef0ee47478
SHA1258c9b470b4708ce6649c8ec4b189e77f84487db
SHA2567cb90341d5f6386c1db892b23d6acde98bc59207979df68973d83f0d4ca70b0f
SHA51226a052dbda603d206e9dcbed8b950a89f16a5b36d5eabf7b3afad3c1aa230ea8ab7887496dc6461cf98d637342ed1d534c922dc04c4734669bac3b1e799c5aa1
-
Filesize
12KB
MD5f62f75dab7b6710f8d7761d2c3c46ca6
SHA1e8ed453589210ffb0ee025ade335d16823395c98
SHA256f8f447265eaf5b2a3967e879e59a5ec653317751f7685dca104458810bd18405
SHA5120fb9cf61e41a6f123c9e58201b95e2121035d4f759fe1b605fd401aae1dbd17097757ac9659764262ce277192e9c08414da743f2a2e05ec5776ecc3319d5d2d6
-
Filesize
12KB
MD5f62f75dab7b6710f8d7761d2c3c46ca6
SHA1e8ed453589210ffb0ee025ade335d16823395c98
SHA256f8f447265eaf5b2a3967e879e59a5ec653317751f7685dca104458810bd18405
SHA5120fb9cf61e41a6f123c9e58201b95e2121035d4f759fe1b605fd401aae1dbd17097757ac9659764262ce277192e9c08414da743f2a2e05ec5776ecc3319d5d2d6
-
Filesize
325KB
MD52ce2efa8997e759013222bb30a4cf545
SHA16bd0e0c6596aa2fb42e1b48bf5ac417bc753b4d8
SHA256f6a81bc8888880909c59b587387b6b130933459078afcf7ea3f1ca178232728c
SHA512fed57852b4bcd4c4e2cfa565f6f61a2e124c4ae1ae8a7307e906d7970047b7e57f841b45252c7ac4e3002b0bd1bfcaaa575052cd28f812fa2d4dec285d174a64
-
Filesize
325KB
MD52ce2efa8997e759013222bb30a4cf545
SHA16bd0e0c6596aa2fb42e1b48bf5ac417bc753b4d8
SHA256f6a81bc8888880909c59b587387b6b130933459078afcf7ea3f1ca178232728c
SHA512fed57852b4bcd4c4e2cfa565f6f61a2e124c4ae1ae8a7307e906d7970047b7e57f841b45252c7ac4e3002b0bd1bfcaaa575052cd28f812fa2d4dec285d174a64
-
Filesize
71KB
MD546988a922937a39036d6b71e62d0f966
SHA14a997f2a0360274ec7990aac156870a5a7030665
SHA2565954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6
SHA512dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
236KB
MD50fca7d967f70f51ebd29080a49c14c00
SHA1fe440b91f1b3f958d588a5ac0b5509231073e737
SHA256edf7388779bbafbd11cf6ef56dfe16ee03787554fb009783ef2958a7fa5f4b96
SHA512104558fe68d0bdcf7e20fa415287217402e913fb6b8c54dda9461fc6eb7c45e9169f3e75b877094ba7a9d6389aba2bd6a52db4e1fbc94a49be400b308fb3eda1
-
Filesize
236KB
MD50fca7d967f70f51ebd29080a49c14c00
SHA1fe440b91f1b3f958d588a5ac0b5509231073e737
SHA256edf7388779bbafbd11cf6ef56dfe16ee03787554fb009783ef2958a7fa5f4b96
SHA512104558fe68d0bdcf7e20fa415287217402e913fb6b8c54dda9461fc6eb7c45e9169f3e75b877094ba7a9d6389aba2bd6a52db4e1fbc94a49be400b308fb3eda1
-
Filesize
236KB
MD50fca7d967f70f51ebd29080a49c14c00
SHA1fe440b91f1b3f958d588a5ac0b5509231073e737
SHA256edf7388779bbafbd11cf6ef56dfe16ee03787554fb009783ef2958a7fa5f4b96
SHA512104558fe68d0bdcf7e20fa415287217402e913fb6b8c54dda9461fc6eb7c45e9169f3e75b877094ba7a9d6389aba2bd6a52db4e1fbc94a49be400b308fb3eda1
-
Filesize
236KB
MD50fca7d967f70f51ebd29080a49c14c00
SHA1fe440b91f1b3f958d588a5ac0b5509231073e737
SHA256edf7388779bbafbd11cf6ef56dfe16ee03787554fb009783ef2958a7fa5f4b96
SHA512104558fe68d0bdcf7e20fa415287217402e913fb6b8c54dda9461fc6eb7c45e9169f3e75b877094ba7a9d6389aba2bd6a52db4e1fbc94a49be400b308fb3eda1
-
Filesize
236KB
MD50fca7d967f70f51ebd29080a49c14c00
SHA1fe440b91f1b3f958d588a5ac0b5509231073e737
SHA256edf7388779bbafbd11cf6ef56dfe16ee03787554fb009783ef2958a7fa5f4b96
SHA512104558fe68d0bdcf7e20fa415287217402e913fb6b8c54dda9461fc6eb7c45e9169f3e75b877094ba7a9d6389aba2bd6a52db4e1fbc94a49be400b308fb3eda1
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
223B
MD594cbeec5d4343918fd0e48760e40539c
SHA1a049266c5c1131f692f306c8710d7e72586ae79d
SHA25648eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA5124e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0