95146fd91e53797e70aa24b0a662c345ea9c0ed0500e9a996506d3c79433304c

General

Target

legend.exe
Size

347KB
MD5

ef2de4a8a06f86867f6e460e88919515
SHA1

927a63e2b72624abb062387e8ea83862c98158f2
SHA256

95146fd91e53797e70aa24b0a662c345ea9c0ed0500e9a996506d3c79433304c
SHA512

5e670977ae81b28cb0120b5f45379be295e49f394df16000181c84c8969abc47090623c34888c7fc01aeba4202aed1ad2d29bdc1052c212caefae25795ec8592
SSDEEP

6144:BnPdudwDsAq1bHTMqjOLx9JL78eBZoRgl7bMkqfOCY4JnpmIOHkQTtHVI:BnPdwAUHpOLXJhBZoRglPMkUOCdnhQg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3048	wlhgt.exe
1668	wlhgt.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	legend.exe
3048	wlhgt.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgptpyewschqm = "C:\\Users\\Admin\\AppData\\Roaming\\nsclgpyua\\joxdmirb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wlhgt.exe\" "	wlhgt.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 1668	3048	wlhgt.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	wlhgt.exe
1668	wlhgt.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3048	wlhgt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	wlhgt.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3048	2068	legend.exe	28
PID 2068 wrote to memory of 3048	2068	legend.exe	28
PID 2068 wrote to memory of 3048	2068	legend.exe	28
PID 2068 wrote to memory of 3048	2068	legend.exe	28
PID 3048 wrote to memory of 1668	3048	wlhgt.exe	29
PID 3048 wrote to memory of 1668	3048	wlhgt.exe	29
PID 3048 wrote to memory of 1668	3048	wlhgt.exe	29
PID 3048 wrote to memory of 1668	3048	wlhgt.exe	29
PID 3048 wrote to memory of 1668	3048	wlhgt.exe	29

C:\Users\Admin\AppData\Local\Temp\legend.exe
"C:\Users\Admin\AppData\Local\Temp\legend.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\wlhgt.exe
  "C:\Users\Admin\AppData\Local\Temp\wlhgt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\wlhgt.exe
    "C:\Users\Admin\AppData\Local\Temp\wlhgt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\poyukas.c

Filesize
333KB

MD5
2b4d08869bf52235776450f972eb4e14

SHA1
239c9d5c80f8a9ebcafff027ca62a2f28ab2a4f2

SHA256
760954e886be0d830a97dff466dd6f199fe76c12f95ee9c34fc1fea12b8e6941

SHA512
78f5f1f6e3787a75e9200815f49e58c70bb00f65c6044880cf26cb93511e15a93c934553f054ef2d559232dfe4aee5d4addb5496f0a95e21bb1671ed0158bae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlhgt.exe

Filesize
168KB

MD5
857d33e8f8429f5ee496132d66023e24

SHA1
8d9e3a0d63b863ed1fbc01ad73777dba752c8538

SHA256
3c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72

SHA512
97582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlhgt.exe

Filesize
168KB

MD5
857d33e8f8429f5ee496132d66023e24

SHA1
8d9e3a0d63b863ed1fbc01ad73777dba752c8538

SHA256
3c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72

SHA512
97582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlhgt.exe

Filesize
168KB

MD5
857d33e8f8429f5ee496132d66023e24

SHA1
8d9e3a0d63b863ed1fbc01ad73777dba752c8538

SHA256
3c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72

SHA512
97582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da

Download Submit
\Users\Admin\AppData\Local\Temp\wlhgt.exe

Filesize
168KB

MD5
857d33e8f8429f5ee496132d66023e24

SHA1
8d9e3a0d63b863ed1fbc01ad73777dba752c8538

SHA256
3c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72

SHA512
97582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da

Download Submit
\Users\Admin\AppData\Local\Temp\wlhgt.exe

Filesize
168KB

MD5
857d33e8f8429f5ee496132d66023e24

SHA1
8d9e3a0d63b863ed1fbc01ad73777dba752c8538

SHA256
3c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72

SHA512
97582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da

Download Submit
memory/1668-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1668-11-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1668-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1668-18-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-17-0x0000000000210000-0x0000000000252000-memory.dmp

Filesize
264KB

Download
memory/1668-19-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/1668-20-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/1668-21-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1668-22-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-23-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/3048-6-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads