Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2023, 10:53
Static task
static1
General
-
Target
d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe
-
Size
1.1MB
-
MD5
4d7c99cfe6ed9131190814b6649ba267
-
SHA1
12a5181191ff7f731fd8543ef4ecbab069f27f11
-
SHA256
d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b
-
SHA512
30370da5f2831070eac28ab75899790f4f23e6907d4f5b8d3c821dbdb87ae520a78a0dc06873f94bd67c019b141a240038ef89946fc5931cfe71b6f43a2c7c19
-
SSDEEP
24576:5mP7BbTymTVzxFnHDzCOiqZavIqFwFU9hOpyugGYfhO9C3PvWjZ:5mP7BnzVnjzCTqZ57Q48ugBO9C3PO
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
vina
193.233.20.28:4125
-
auth_value
7e90e85c9cea0965a2bfd23e1cfc6bc8
Extracted
amadey
3.68
31.41.244.200/games/category/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c21lQ07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b6035IK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b6035IK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c21lQ07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c21lQ07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c21lQ07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bus8215.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b6035IK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b6035IK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" con8871.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b6035IK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c21lQ07.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/1576-219-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-218-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-221-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-223-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-225-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-227-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-229-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-231-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-233-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-235-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-237-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-239-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-241-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-243-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-245-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-247-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-249-0x0000000004A80000-0x0000000004ABE000-memory.dmp family_redline behavioral1/memory/1576-1136-0x0000000004B00000-0x0000000004B10000-memory.dmp family_redline -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation ge214537.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation metafor.exe -
Executes dropped EXE 15 IoCs
pid Process 4852 kino6909.exe 4728 kino4649.exe 1420 kino9726.exe 1892 bus8215.exe 3396 con8871.exe 1576 dvt46s77.exe 332 en185244.exe 1988 ge214537.exe 2296 metafor.exe 2600 foto0120.exe 8 nice1147.exe 1604 b6035IK.exe 232 c21lQ07.exe 4064 dDZfC05.exe 1140 metafor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b6035IK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c21lQ07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bus8215.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kino4649.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kino4649.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kino9726.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kino9726.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce foto0120.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kino6909.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nice1147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto0120.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002051\\foto0120.exe" metafor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kino6909.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" foto0120.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce nice1147.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4492 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
pid pid_target Process procid_target 2216 3396 WerFault.exe 91 2428 1576 WerFault.exe 96 2464 740 WerFault.exe 82 2432 232 WerFault.exe 123 3380 4064 WerFault.exe 127 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1892 bus8215.exe 1892 bus8215.exe 3396 con8871.exe 3396 con8871.exe 1576 dvt46s77.exe 1576 dvt46s77.exe 332 en185244.exe 332 en185244.exe 1604 b6035IK.exe 1604 b6035IK.exe 232 c21lQ07.exe 232 c21lQ07.exe 4064 dDZfC05.exe 4064 dDZfC05.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1892 bus8215.exe Token: SeDebugPrivilege 3396 con8871.exe Token: SeDebugPrivilege 1576 dvt46s77.exe Token: SeDebugPrivilege 332 en185244.exe Token: SeDebugPrivilege 1604 b6035IK.exe Token: SeDebugPrivilege 232 c21lQ07.exe Token: SeDebugPrivilege 4064 dDZfC05.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 740 wrote to memory of 4852 740 d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe 83 PID 740 wrote to memory of 4852 740 d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe 83 PID 740 wrote to memory of 4852 740 d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe 83 PID 4852 wrote to memory of 4728 4852 kino6909.exe 84 PID 4852 wrote to memory of 4728 4852 kino6909.exe 84 PID 4852 wrote to memory of 4728 4852 kino6909.exe 84 PID 4728 wrote to memory of 1420 4728 kino4649.exe 85 PID 4728 wrote to memory of 1420 4728 kino4649.exe 85 PID 4728 wrote to memory of 1420 4728 kino4649.exe 85 PID 1420 wrote to memory of 1892 1420 kino9726.exe 86 PID 1420 wrote to memory of 1892 1420 kino9726.exe 86 PID 1420 wrote to memory of 3396 1420 kino9726.exe 91 PID 1420 wrote to memory of 3396 1420 kino9726.exe 91 PID 1420 wrote to memory of 3396 1420 kino9726.exe 91 PID 4728 wrote to memory of 1576 4728 kino4649.exe 96 PID 4728 wrote to memory of 1576 4728 kino4649.exe 96 PID 4728 wrote to memory of 1576 4728 kino4649.exe 96 PID 4852 wrote to memory of 332 4852 kino6909.exe 104 PID 4852 wrote to memory of 332 4852 kino6909.exe 104 PID 4852 wrote to memory of 332 4852 kino6909.exe 104 PID 740 wrote to memory of 1988 740 d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe 106 PID 740 wrote to memory of 1988 740 d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe 106 PID 740 wrote to memory of 1988 740 d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe 106 PID 1988 wrote to memory of 2296 1988 ge214537.exe 107 PID 1988 wrote to memory of 2296 1988 ge214537.exe 107 PID 1988 wrote to memory of 2296 1988 ge214537.exe 107 PID 2296 wrote to memory of 4964 2296 metafor.exe 110 PID 2296 wrote to memory of 4964 2296 metafor.exe 110 PID 2296 wrote to memory of 4964 2296 metafor.exe 110 PID 2296 wrote to memory of 440 2296 metafor.exe 112 PID 2296 wrote to memory of 440 2296 metafor.exe 112 PID 2296 wrote to memory of 440 2296 metafor.exe 112 PID 440 wrote to memory of 1484 440 cmd.exe 114 PID 440 wrote to memory of 1484 440 cmd.exe 114 PID 440 wrote to memory of 1484 440 cmd.exe 114 PID 440 wrote to memory of 4416 440 cmd.exe 115 PID 440 wrote to memory of 4416 440 cmd.exe 115 PID 440 wrote to memory of 4416 440 cmd.exe 115 PID 440 wrote to memory of 4740 440 cmd.exe 116 PID 440 wrote to memory of 4740 440 cmd.exe 116 PID 440 wrote to memory of 4740 440 cmd.exe 116 PID 440 wrote to memory of 1956 440 cmd.exe 117 PID 440 wrote to memory of 1956 440 cmd.exe 117 PID 440 wrote to memory of 1956 440 cmd.exe 117 PID 440 wrote to memory of 4620 440 cmd.exe 118 PID 440 wrote to memory of 4620 440 cmd.exe 118 PID 440 wrote to memory of 4620 440 cmd.exe 118 PID 440 wrote to memory of 5060 440 cmd.exe 119 PID 440 wrote to memory of 5060 440 cmd.exe 119 PID 440 wrote to memory of 5060 440 cmd.exe 119 PID 2296 wrote to memory of 2600 2296 metafor.exe 120 PID 2296 wrote to memory of 2600 2296 metafor.exe 120 PID 2296 wrote to memory of 2600 2296 metafor.exe 120 PID 2600 wrote to memory of 8 2600 foto0120.exe 121 PID 2600 wrote to memory of 8 2600 foto0120.exe 121 PID 2600 wrote to memory of 8 2600 foto0120.exe 121 PID 8 wrote to memory of 1604 8 nice1147.exe 122 PID 8 wrote to memory of 1604 8 nice1147.exe 122 PID 8 wrote to memory of 232 8 nice1147.exe 123 PID 8 wrote to memory of 232 8 nice1147.exe 123 PID 8 wrote to memory of 232 8 nice1147.exe 123 PID 2600 wrote to memory of 4064 2600 foto0120.exe 127 PID 2600 wrote to memory of 4064 2600 foto0120.exe 127 PID 2600 wrote to memory of 4064 2600 foto0120.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe"C:\Users\Admin\AppData\Local\Temp\d929e1cfd178a559849d74d0a0d808cfabf07afcf08c9e5b420554da8e61f76b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6909.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6909.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4649.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4649.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9726.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9726.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8215.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8215.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8871.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8871.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 10846⤵
- Program crash
PID:2216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dvt46s77.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dvt46s77.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 13285⤵
- Program crash
PID:2428
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en185244.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en185244.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge214537.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge214537.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F4⤵
- Creates scheduled task(s)
PID:4964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1484
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:N"5⤵PID:4416
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:R" /E5⤵PID:4740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1956
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:N"5⤵PID:4620
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:R" /E5⤵PID:5060
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002051\foto0120.exe"C:\Users\Admin\AppData\Local\Temp\1000002051\foto0120.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1147.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice1147.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6035IK.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6035IK.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c21lQ07.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c21lQ07.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 10767⤵
- Program crash
PID:2432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dDZfC05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dDZfC05.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 13406⤵
- Program crash
PID:3380
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 5482⤵
- Program crash
PID:2464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3396 -ip 33961⤵PID:4528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1576 -ip 15761⤵PID:1164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 740 -ip 7401⤵PID:4748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 232 -ip 2321⤵PID:3736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4064 -ip 40641⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
PID:1140
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
670KB
MD52d11f233403ac8b87feecacf4b1c8dbc
SHA1f894a795dec927365b0116583d59982e92a234bf
SHA2560dc30854c9b95609d58480d031e7368631c7c7391889d74e81ba9f132ad2d4bd
SHA512935930a838640b5ec98691b6cc90de7a365f224196fc718d73f86c383fb5e45a274b6e4fa8cf420f5a24d55b229cf861053f80b7e0efcae1422e5b44b3a27a3a
-
Filesize
670KB
MD52d11f233403ac8b87feecacf4b1c8dbc
SHA1f894a795dec927365b0116583d59982e92a234bf
SHA2560dc30854c9b95609d58480d031e7368631c7c7391889d74e81ba9f132ad2d4bd
SHA512935930a838640b5ec98691b6cc90de7a365f224196fc718d73f86c383fb5e45a274b6e4fa8cf420f5a24d55b229cf861053f80b7e0efcae1422e5b44b3a27a3a
-
Filesize
670KB
MD52d11f233403ac8b87feecacf4b1c8dbc
SHA1f894a795dec927365b0116583d59982e92a234bf
SHA2560dc30854c9b95609d58480d031e7368631c7c7391889d74e81ba9f132ad2d4bd
SHA512935930a838640b5ec98691b6cc90de7a365f224196fc718d73f86c383fb5e45a274b6e4fa8cf420f5a24d55b229cf861053f80b7e0efcae1422e5b44b3a27a3a
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
305KB
MD5c6912b9c2612d5d023ae2a5d9b7c931f
SHA161d960e5f4bcc86a8a4b2e4b0128c66af104ef67
SHA256b00f25287c3926a4daba7e15ca4216401347244e9635785973e4faaa5053ab6c
SHA5126e0d2270c147016f5c3abf55b3460323df317e55448d72e39935182afd98fb7644e207738b675e7ea0702837410705c0640f4c8a4d1dbed1106e17ec1b5534a1
-
Filesize
305KB
MD5c6912b9c2612d5d023ae2a5d9b7c931f
SHA161d960e5f4bcc86a8a4b2e4b0128c66af104ef67
SHA256b00f25287c3926a4daba7e15ca4216401347244e9635785973e4faaa5053ab6c
SHA5126e0d2270c147016f5c3abf55b3460323df317e55448d72e39935182afd98fb7644e207738b675e7ea0702837410705c0640f4c8a4d1dbed1106e17ec1b5534a1
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
823KB
MD53f6ee6e4420abf99de71289f74c55d0e
SHA1d97bc3954988e228f74e54a103ac16540f5609ef
SHA25678e8c6b9aca10f170e2460302e00e98dbeb717b7c1b810e6cb538c2b5b037e1f
SHA5128920f3dc52059777d09f72d2bbc287debeb31bdfcb02168428f3cc16cafa266e3c9181b7b70c4169356042d4a10ce93a2ed1e450756d2aa18afacb390d16c9d4
-
Filesize
823KB
MD53f6ee6e4420abf99de71289f74c55d0e
SHA1d97bc3954988e228f74e54a103ac16540f5609ef
SHA25678e8c6b9aca10f170e2460302e00e98dbeb717b7c1b810e6cb538c2b5b037e1f
SHA5128920f3dc52059777d09f72d2bbc287debeb31bdfcb02168428f3cc16cafa266e3c9181b7b70c4169356042d4a10ce93a2ed1e450756d2aa18afacb390d16c9d4
-
Filesize
347KB
MD5c7b3b2ebd3b11637b495ef56b68fbd91
SHA1defcba9b3e928ac2dfcca914d80de6382cea8b49
SHA25668246ea9f939fa3387e89c4173212fc815d8e5e1b31c2049b1858425c76dfb39
SHA512b91d0e6d6e9245e80fd7f0984e8d276a4c464a74bdddd7697f9fc6a8a36bf2692943665a8a40bc778594e5d695f01e82b6358f81531f1b4e7bf075bed95867ce
-
Filesize
347KB
MD5c7b3b2ebd3b11637b495ef56b68fbd91
SHA1defcba9b3e928ac2dfcca914d80de6382cea8b49
SHA25668246ea9f939fa3387e89c4173212fc815d8e5e1b31c2049b1858425c76dfb39
SHA512b91d0e6d6e9245e80fd7f0984e8d276a4c464a74bdddd7697f9fc6a8a36bf2692943665a8a40bc778594e5d695f01e82b6358f81531f1b4e7bf075bed95867ce
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
285KB
MD585bfde7597b782146cf905d946c1ebd9
SHA12e1896231b4e5fa8dea2aa60da6f2160dbfbe1fe
SHA256f955dba12257d277b13b157fc661cfbfcc8668f980d0fa4842ddf8721f4c597d
SHA512dffdd2e1095d67d4d8b2ef7c4026da0c76acf21cd3258b6f4007169deb7c4011ff9ab2674e0753699cf76c28ff36628cd9ad93a5c1796346f6056db855b3f6d3
-
Filesize
285KB
MD585bfde7597b782146cf905d946c1ebd9
SHA12e1896231b4e5fa8dea2aa60da6f2160dbfbe1fe
SHA256f955dba12257d277b13b157fc661cfbfcc8668f980d0fa4842ddf8721f4c597d
SHA512dffdd2e1095d67d4d8b2ef7c4026da0c76acf21cd3258b6f4007169deb7c4011ff9ab2674e0753699cf76c28ff36628cd9ad93a5c1796346f6056db855b3f6d3
-
Filesize
175KB
MD59796505f0e48281006d920d7c01dfe7b
SHA1409d6a3760f682cc6e10c4f63e16755081d1342e
SHA256acf7be67bc04fc3b5f30c386ad0425b3fdbd7350dee6f7ab8b200b2bd9509479
SHA512c0ab3a9eb70564d04500a0e53e429925afdf0268e015ec1ec515ed2e7c9416273be51c9f86cbf99fa1a5ccd6e6f6f5a62fadc6e256fd7a53295295e4008f5d72
-
Filesize
175KB
MD59796505f0e48281006d920d7c01dfe7b
SHA1409d6a3760f682cc6e10c4f63e16755081d1342e
SHA256acf7be67bc04fc3b5f30c386ad0425b3fdbd7350dee6f7ab8b200b2bd9509479
SHA512c0ab3a9eb70564d04500a0e53e429925afdf0268e015ec1ec515ed2e7c9416273be51c9f86cbf99fa1a5ccd6e6f6f5a62fadc6e256fd7a53295295e4008f5d72
-
Filesize
681KB
MD5a17645b0619c9cee206b9b5005938f62
SHA117dc77dbd22dda49435980ea64f16f50af712135
SHA2561ffdc86c5082859f407c64f0957cb96fc0f493d7965361576917b6b81ec06611
SHA512ecd8b7336e01de9fbfb530a7a9c52c667fe3cc80691e731e7d986ef0704649d1468417610ba74fc318cfac9bccaa75e16a89b2d0ea8fc4423c96601eedad53f5
-
Filesize
681KB
MD5a17645b0619c9cee206b9b5005938f62
SHA117dc77dbd22dda49435980ea64f16f50af712135
SHA2561ffdc86c5082859f407c64f0957cb96fc0f493d7965361576917b6b81ec06611
SHA512ecd8b7336e01de9fbfb530a7a9c52c667fe3cc80691e731e7d986ef0704649d1468417610ba74fc318cfac9bccaa75e16a89b2d0ea8fc4423c96601eedad53f5
-
Filesize
343KB
MD5b58a3c5b0cc5922dbd8cec1bf434f743
SHA11807b33a35f497e2ef919c921b609ee391a0e33a
SHA25612f3bdf0699561e14986911f14e79b63621511d1e13e9b922f9395714953f487
SHA512cea3f662e7cf35de07333e3dd95e4f5c011a8bb815c85d4898ef4ac3868f992ac37f466640b1bcc2b7f1891f225fb21054fe8fa8e310d883be029ae33bc91cb7
-
Filesize
343KB
MD5b58a3c5b0cc5922dbd8cec1bf434f743
SHA11807b33a35f497e2ef919c921b609ee391a0e33a
SHA25612f3bdf0699561e14986911f14e79b63621511d1e13e9b922f9395714953f487
SHA512cea3f662e7cf35de07333e3dd95e4f5c011a8bb815c85d4898ef4ac3868f992ac37f466640b1bcc2b7f1891f225fb21054fe8fa8e310d883be029ae33bc91cb7
-
Filesize
337KB
MD58cb92be8a236eb8f633e552aaa0f7e22
SHA11d174a28c35dc7b47ce83924e83b1e0099802265
SHA2563ad53ce31b9dadbd99fa7b714b29b80416e0ccd109d117476f4baba2cb70cf11
SHA512bea06f502bfaba18eff6a4d06bd91dfff1642c441d1320ec62a8e61ee03d78b5a4784186366ea5cc861b8b9ebb0a7245480c1c2e47378be87f6b3c1970f30c85
-
Filesize
337KB
MD58cb92be8a236eb8f633e552aaa0f7e22
SHA11d174a28c35dc7b47ce83924e83b1e0099802265
SHA2563ad53ce31b9dadbd99fa7b714b29b80416e0ccd109d117476f4baba2cb70cf11
SHA512bea06f502bfaba18eff6a4d06bd91dfff1642c441d1320ec62a8e61ee03d78b5a4784186366ea5cc861b8b9ebb0a7245480c1c2e47378be87f6b3c1970f30c85
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
285KB
MD5aeafc76d80a9302266a9f1b29c902301
SHA19b08310586c10f22439b66d8ce7ef536003c6b4e
SHA25614dfd877335d4eea9a0dbdbba765b6e8ce676a6f6ad3d837022cf5ccf1e00400
SHA5123da5535584a3753103e4b60864fe62e82f6bdd72ad3624dc43aa698a97f5eb54e5503304a284327ae3a1779b58d9863feeeb588564e706a3494ea06565eba6f6
-
Filesize
285KB
MD5aeafc76d80a9302266a9f1b29c902301
SHA19b08310586c10f22439b66d8ce7ef536003c6b4e
SHA25614dfd877335d4eea9a0dbdbba765b6e8ce676a6f6ad3d837022cf5ccf1e00400
SHA5123da5535584a3753103e4b60864fe62e82f6bdd72ad3624dc43aa698a97f5eb54e5503304a284327ae3a1779b58d9863feeeb588564e706a3494ea06565eba6f6