amadey | 592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe
Size

1.2MB
MD5

76a6f2c2fe281bcc96d416366a8e6cbc
SHA1

780856cf98dceb11d81e6301a199e15b462c62b5
SHA256

592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26
SHA512

0424283e2b59c2ea4a73f61f3cfa0b941ce2c72c3c3b0384c4dd4c64cdfeec744719b16e92385cd34a5d54c191e82bd6ae7da5e7a4e7f424200fad194c9c52c2
SSDEEP

24576:ukcpCh/hx1VCKnXPGgP88lsB3UAQy2HrABIaJWQj+mFDT55+HnnL3H:ukcpCh71lPkB3UAZ2HUr4QjPRT54H

Score

10^/10

amadey redline laba mango discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

laba

193.233.20.28:4125

Attributes

auth_value
2cf01cffff9092a85ca7e106c547190b

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

con2811.exebus7443.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	con2811.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus7443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus7443.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2112-216-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-215-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-218-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-220-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-222-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-224-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-226-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-228-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-230-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-232-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-235-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-239-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-242-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-244-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-246-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-248-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-250-0x0000000004960000-0x000000000499E000-memory.dmp	family_redline
behavioral1/memory/2112-1135-0x00000000072C0000-0x00000000072D0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge235550.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge235550.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino4981.exekino2751.exekino9261.exebus7443.execon2811.exedWa97s47.exeen903751.exege235550.exemetafor.exemetafor.exemetafor.exe

pid	process
1152	kino4981.exe
2008	kino2751.exe
3836	kino9261.exe
1436	bus7443.exe
1112	con2811.exe
2112	dWa97s47.exe
4228	en903751.exe
4728	ge235550.exe
3840	metafor.exe
3596	metafor.exe
2868	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

con2811.exebus7443.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus7443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	con2811.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exekino4981.exekino2751.exekino9261.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino4981.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino2751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino9261.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4724	1112	WerFault.exe	con2811.exe
448	2112	WerFault.exe	dWa97s47.exe
3592	3800	WerFault.exe	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4496 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus7443.execon2811.exedWa97s47.exeen903751.exe

pid process

1436 bus7443.exe
1436 bus7443.exe
1112 con2811.exe
1112 con2811.exe
2112 dWa97s47.exe
2112 dWa97s47.exe
4228 en903751.exe
4228 en903751.exe

pid	process
4496	schtasks.exe

pid	process
1436	bus7443.exe
1436	bus7443.exe
1112	con2811.exe
1112	con2811.exe
2112	dWa97s47.exe
2112	dWa97s47.exe
4228	en903751.exe
4228	en903751.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus7443.execon2811.exedWa97s47.exeen903751.exe

description	pid	process
Token: SeDebugPrivilege	1436	bus7443.exe
Token: SeDebugPrivilege	1112	con2811.exe
Token: SeDebugPrivilege	2112	dWa97s47.exe
Token: SeDebugPrivilege	4228	en903751.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exekino4981.exekino2751.exekino9261.exege235550.exemetafor.execmd.exe

description	pid	process	target process
PID 3800 wrote to memory of 1152	3800	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe	kino4981.exe
PID 3800 wrote to memory of 1152	3800	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe	kino4981.exe
PID 3800 wrote to memory of 1152	3800	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe	kino4981.exe
PID 1152 wrote to memory of 2008	1152	kino4981.exe	kino2751.exe
PID 1152 wrote to memory of 2008	1152	kino4981.exe	kino2751.exe
PID 1152 wrote to memory of 2008	1152	kino4981.exe	kino2751.exe
PID 2008 wrote to memory of 3836	2008	kino2751.exe	kino9261.exe
PID 2008 wrote to memory of 3836	2008	kino2751.exe	kino9261.exe
PID 2008 wrote to memory of 3836	2008	kino2751.exe	kino9261.exe
PID 3836 wrote to memory of 1436	3836	kino9261.exe	bus7443.exe
PID 3836 wrote to memory of 1436	3836	kino9261.exe	bus7443.exe
PID 3836 wrote to memory of 1112	3836	kino9261.exe	con2811.exe
PID 3836 wrote to memory of 1112	3836	kino9261.exe	con2811.exe
PID 3836 wrote to memory of 1112	3836	kino9261.exe	con2811.exe
PID 2008 wrote to memory of 2112	2008	kino2751.exe	dWa97s47.exe
PID 2008 wrote to memory of 2112	2008	kino2751.exe	dWa97s47.exe
PID 2008 wrote to memory of 2112	2008	kino2751.exe	dWa97s47.exe
PID 1152 wrote to memory of 4228	1152	kino4981.exe	en903751.exe
PID 1152 wrote to memory of 4228	1152	kino4981.exe	en903751.exe
PID 1152 wrote to memory of 4228	1152	kino4981.exe	en903751.exe
PID 3800 wrote to memory of 4728	3800	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe	ge235550.exe
PID 3800 wrote to memory of 4728	3800	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe	ge235550.exe
PID 3800 wrote to memory of 4728	3800	592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe	ge235550.exe
PID 4728 wrote to memory of 3840	4728	ge235550.exe	metafor.exe
PID 4728 wrote to memory of 3840	4728	ge235550.exe	metafor.exe
PID 4728 wrote to memory of 3840	4728	ge235550.exe	metafor.exe
PID 3840 wrote to memory of 4496	3840	metafor.exe	schtasks.exe
PID 3840 wrote to memory of 4496	3840	metafor.exe	schtasks.exe
PID 3840 wrote to memory of 4496	3840	metafor.exe	schtasks.exe
PID 3840 wrote to memory of 1464	3840	metafor.exe	cmd.exe
PID 3840 wrote to memory of 1464	3840	metafor.exe	cmd.exe
PID 3840 wrote to memory of 1464	3840	metafor.exe	cmd.exe
PID 1464 wrote to memory of 3400	1464	cmd.exe	cmd.exe
PID 1464 wrote to memory of 3400	1464	cmd.exe	cmd.exe
PID 1464 wrote to memory of 3400	1464	cmd.exe	cmd.exe
PID 1464 wrote to memory of 4928	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 4928	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 4928	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 3272	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 3272	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 3272	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 4464	1464	cmd.exe	cmd.exe
PID 1464 wrote to memory of 4464	1464	cmd.exe	cmd.exe
PID 1464 wrote to memory of 4464	1464	cmd.exe	cmd.exe
PID 1464 wrote to memory of 772	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 772	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 772	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 736	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 736	1464	cmd.exe	cacls.exe
PID 1464 wrote to memory of 736	1464	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe
"C:\Users\Admin\AppData\Local\Temp\592527d597a39914294b0d2f2ed4b029733291181b2998ecfa1aabcd85c56c26.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1088
6⤵
- Program crash
PID:4724

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1632
5⤵
- Program crash
PID:448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3400

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4928

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4464

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:772

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 496
2⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1112 -ip 1112
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2112 -ip 2112
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3800 -ip 3800
1⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
Filesize
844KB

MD5
5141c74fb0e966593d9f9ffedbac0b0a

SHA1
946a9eb50ba654837f75b601eeaa317183f20c2c

SHA256
8ec4f1f1f5caa93c49c291ce1f14e96c14f1e3a9e0204514ad004dcd6fed55fd

SHA512
29826a6c176b8004d0533b5cd75b663df71f9c6216d051e8f926b3daad650795622c20cd54797fdf595beca52bbeb6523884ae24543bb8e730b9ebc0b7093cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
Filesize
844KB

MD5
5141c74fb0e966593d9f9ffedbac0b0a

SHA1
946a9eb50ba654837f75b601eeaa317183f20c2c

SHA256
8ec4f1f1f5caa93c49c291ce1f14e96c14f1e3a9e0204514ad004dcd6fed55fd

SHA512
29826a6c176b8004d0533b5cd75b663df71f9c6216d051e8f926b3daad650795622c20cd54797fdf595beca52bbeb6523884ae24543bb8e730b9ebc0b7093cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
Filesize
175KB

MD5
478e884952392c14b85cca1a6a4f3e35

SHA1
f3475db1427fec3eedf583f1b7b0f839b27f8d74

SHA256
bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413

SHA512
b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
Filesize
175KB

MD5
478e884952392c14b85cca1a6a4f3e35

SHA1
f3475db1427fec3eedf583f1b7b0f839b27f8d74

SHA256
bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413

SHA512
b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
Filesize
702KB

MD5
3c59b877d484dc8a12b5a96e78747f04

SHA1
0c49aaf2228f0281d657194fced2c56ad05b9e5a

SHA256
d1b9b8da47fc3dc59d9f44aa5f7c6ff3c14bd4bd4ccd27296ffb049299e7b7d3

SHA512
5452d444590111c684aca4147671370caa04a3c4cc29212e93594fa5a0483c43473c5da2ecdc47939e038de62ef35d21d0d6201bee91713d09505f8ba36aadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
Filesize
702KB

MD5
3c59b877d484dc8a12b5a96e78747f04

SHA1
0c49aaf2228f0281d657194fced2c56ad05b9e5a

SHA256
d1b9b8da47fc3dc59d9f44aa5f7c6ff3c14bd4bd4ccd27296ffb049299e7b7d3

SHA512
5452d444590111c684aca4147671370caa04a3c4cc29212e93594fa5a0483c43473c5da2ecdc47939e038de62ef35d21d0d6201bee91713d09505f8ba36aadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
Filesize
395KB

MD5
e25387fb916a34d4affe07ade28d8455

SHA1
b5bb0ac2c95612be258c13f03718e33ac07f508a

SHA256
db9c125de03bc9f7a939cbed3d5b4c78a8b3cf58a1fb95c588a9b6644abcae80

SHA512
4fe8bedbb69141284d61a765023422d1a570f15a66144f03f5e3977839dd14dafaa7c9e05845acb56c385742ad46d1cf79792dc01fec40c88b201d9d5c2bd789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
Filesize
395KB

MD5
e25387fb916a34d4affe07ade28d8455

SHA1
b5bb0ac2c95612be258c13f03718e33ac07f508a

SHA256
db9c125de03bc9f7a939cbed3d5b4c78a8b3cf58a1fb95c588a9b6644abcae80

SHA512
4fe8bedbb69141284d61a765023422d1a570f15a66144f03f5e3977839dd14dafaa7c9e05845acb56c385742ad46d1cf79792dc01fec40c88b201d9d5c2bd789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
Filesize
348KB

MD5
1efa83425eabab9a22fbe7729b0152ae

SHA1
819eb1db62529387bc29f5e06f665cea513cfe28

SHA256
0e22f456ec421185445bcea21c2f9c9be7b980dc99a98a33f65396b7c1b2bf90

SHA512
3bcc1baa1e85fe455be3511040e0588999f99d49d830327b56b5309a4c19aaf71631fb8457fb8eb9f55a4d91460273482b9d7936bcdef64e8493e1e2b0b0f5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
Filesize
348KB

MD5
1efa83425eabab9a22fbe7729b0152ae

SHA1
819eb1db62529387bc29f5e06f665cea513cfe28

SHA256
0e22f456ec421185445bcea21c2f9c9be7b980dc99a98a33f65396b7c1b2bf90

SHA512
3bcc1baa1e85fe455be3511040e0588999f99d49d830327b56b5309a4c19aaf71631fb8457fb8eb9f55a4d91460273482b9d7936bcdef64e8493e1e2b0b0f5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
Filesize
338KB

MD5
5cd6b1f2c41d7a661c6df2e1b21f36c4

SHA1
4e491407a4fa3cb2141ac1e53add2d2e6eaa87c7

SHA256
92fdfed7ca6e16c859119ff3f2cc57f05e1f2ce56593f9e77af55edbdfb2559e

SHA512
490ed23ef3b20e77e6fe3fc7963c1299770b4ebc0f9b9fba543faac27cbbe3ad64ec21687871b4ba0858ca07234193227f6c166703716633eedb7295c0e5ea6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
Filesize
338KB

MD5
5cd6b1f2c41d7a661c6df2e1b21f36c4

SHA1
4e491407a4fa3cb2141ac1e53add2d2e6eaa87c7

SHA256
92fdfed7ca6e16c859119ff3f2cc57f05e1f2ce56593f9e77af55edbdfb2559e

SHA512
490ed23ef3b20e77e6fe3fc7963c1299770b4ebc0f9b9fba543faac27cbbe3ad64ec21687871b4ba0858ca07234193227f6c166703716633eedb7295c0e5ea6b

Download Submit
memory/1112-185-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-207-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1112-187-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-189-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-191-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-193-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-195-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-197-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-199-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-201-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-203-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-205-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/1112-206-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1112-183-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-208-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1112-210-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/1112-181-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-179-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-177-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-176-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/1112-175-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1112-174-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1112-173-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/1112-172-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download
memory/1112-171-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/1436-163-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2112-224-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-1136-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2112-234-0x0000000002B20000-0x0000000002B6B000-memory.dmp

Filesize
300KB

Download
memory/2112-235-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-236-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2112-238-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2112-239-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-240-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2112-242-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-244-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-246-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-248-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-250-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-1126-0x0000000007980000-0x0000000007F98000-memory.dmp

Filesize
6.1MB

Download
memory/2112-1127-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/2112-1128-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/2112-1129-0x0000000007270000-0x00000000072AC000-memory.dmp

Filesize
240KB

Download
memory/2112-1130-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2112-1132-0x0000000008350000-0x00000000083E2000-memory.dmp

Filesize
584KB

Download
memory/2112-1133-0x00000000083F0000-0x0000000008456000-memory.dmp

Filesize
408KB

Download
memory/2112-1135-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2112-232-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-1137-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2112-1138-0x0000000008C50000-0x0000000008E12000-memory.dmp

Filesize
1.8MB

Download
memory/2112-1139-0x0000000008E30000-0x000000000935C000-memory.dmp

Filesize
5.2MB

Download
memory/2112-1140-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2112-1141-0x000000000A820000-0x000000000A896000-memory.dmp

Filesize
472KB

Download
memory/2112-1142-0x000000000A8A0000-0x000000000A8F0000-memory.dmp

Filesize
320KB

Download
memory/2112-230-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-228-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-216-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-215-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-218-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-220-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-226-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/2112-222-0x0000000004960000-0x000000000499E000-memory.dmp

Filesize
248KB

Download
memory/3800-165-0x0000000004B20000-0x0000000004C22000-memory.dmp

Filesize
1.0MB

Download
memory/3800-164-0x0000000000400000-0x0000000002BE2000-memory.dmp

Filesize
39.9MB

Download
memory/3800-134-0x0000000004B20000-0x0000000004C22000-memory.dmp

Filesize
1.0MB

Download
memory/4228-1149-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4228-1148-0x00000000002D0000-0x0000000000302000-memory.dmp

Filesize
200KB

Download