amadey | fe56ef4ff371aef9b64f9f459ed7f039b44d6c0af344deb3f0be26cbc7b825fd

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe
Size

1.2MB
MD5

6177868d52d60dd6d7ecbcf27df92a83
SHA1

ba5ca1861d549c6aa83f3460d0f56856c9a35fc2
SHA256

09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1
SHA512

0cca65ac33da4e1dea8e2d401f150768befea3775cb7b4c70939ebce4e79c0e2a6e4dc5b755e463b93322626207ba982362242c2b2a5dfb1a1d4a7bb60df8e16
SSDEEP

24576:ekcpCh/hx1VCKnXPGgP88lsB3UAQy2HrABIaJWQj+mFDT55+HnnL3H:ekcpCh71lPkB3UAZ2HUr4QjPRT54H

Score

10^/10

amadey redline laba mango discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

laba

193.233.20.28:4125

Attributes

auth_value
2cf01cffff9092a85ca7e106c547190b

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

con2811.exebus7443.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus7443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	con2811.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	con2811.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1800-215-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-216-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-218-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-220-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-222-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-224-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-226-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-228-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-230-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-232-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-234-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-236-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-238-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-240-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-242-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-244-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline
behavioral2/memory/1800-247-0x0000000007230000-0x0000000007240000-memory.dmp	family_redline
behavioral2/memory/1800-249-0x0000000007110000-0x000000000714E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge235550.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge235550.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino4981.exekino2751.exekino9261.exebus7443.execon2811.exedWa97s47.exeen903751.exege235550.exemetafor.exemetafor.exemetafor.exe

pid	process
368	kino4981.exe
4196	kino2751.exe
60	kino9261.exe
4040	bus7443.exe
4908	con2811.exe
1800	dWa97s47.exe
4992	en903751.exe
1652	ge235550.exe
2104	metafor.exe
2152	metafor.exe
4624	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus7443.execon2811.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus7443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	con2811.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino2751.exekino9261.exe09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exekino4981.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino2751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino9261.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino4981.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2751.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2828	4908	WerFault.exe	con2811.exe
1540	1800	WerFault.exe	dWa97s47.exe
4028	2636	WerFault.exe	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

116 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus7443.execon2811.exedWa97s47.exeen903751.exe

pid process

4040 bus7443.exe
4040 bus7443.exe
4908 con2811.exe
4908 con2811.exe
1800 dWa97s47.exe
1800 dWa97s47.exe
4992 en903751.exe
4992 en903751.exe

pid	process
116	schtasks.exe

pid	process
4040	bus7443.exe
4040	bus7443.exe
4908	con2811.exe
4908	con2811.exe
1800	dWa97s47.exe
1800	dWa97s47.exe
4992	en903751.exe
4992	en903751.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus7443.execon2811.exedWa97s47.exeen903751.exe

description	pid	process
Token: SeDebugPrivilege	4040	bus7443.exe
Token: SeDebugPrivilege	4908	con2811.exe
Token: SeDebugPrivilege	1800	dWa97s47.exe
Token: SeDebugPrivilege	4992	en903751.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exekino4981.exekino2751.exekino9261.exege235550.exemetafor.execmd.exe

description	pid	process	target process
PID 2636 wrote to memory of 368	2636	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe	kino4981.exe
PID 2636 wrote to memory of 368	2636	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe	kino4981.exe
PID 2636 wrote to memory of 368	2636	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe	kino4981.exe
PID 368 wrote to memory of 4196	368	kino4981.exe	kino2751.exe
PID 368 wrote to memory of 4196	368	kino4981.exe	kino2751.exe
PID 368 wrote to memory of 4196	368	kino4981.exe	kino2751.exe
PID 4196 wrote to memory of 60	4196	kino2751.exe	kino9261.exe
PID 4196 wrote to memory of 60	4196	kino2751.exe	kino9261.exe
PID 4196 wrote to memory of 60	4196	kino2751.exe	kino9261.exe
PID 60 wrote to memory of 4040	60	kino9261.exe	bus7443.exe
PID 60 wrote to memory of 4040	60	kino9261.exe	bus7443.exe
PID 60 wrote to memory of 4908	60	kino9261.exe	con2811.exe
PID 60 wrote to memory of 4908	60	kino9261.exe	con2811.exe
PID 60 wrote to memory of 4908	60	kino9261.exe	con2811.exe
PID 4196 wrote to memory of 1800	4196	kino2751.exe	dWa97s47.exe
PID 4196 wrote to memory of 1800	4196	kino2751.exe	dWa97s47.exe
PID 4196 wrote to memory of 1800	4196	kino2751.exe	dWa97s47.exe
PID 368 wrote to memory of 4992	368	kino4981.exe	en903751.exe
PID 368 wrote to memory of 4992	368	kino4981.exe	en903751.exe
PID 368 wrote to memory of 4992	368	kino4981.exe	en903751.exe
PID 2636 wrote to memory of 1652	2636	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe	ge235550.exe
PID 2636 wrote to memory of 1652	2636	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe	ge235550.exe
PID 2636 wrote to memory of 1652	2636	09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe	ge235550.exe
PID 1652 wrote to memory of 2104	1652	ge235550.exe	metafor.exe
PID 1652 wrote to memory of 2104	1652	ge235550.exe	metafor.exe
PID 1652 wrote to memory of 2104	1652	ge235550.exe	metafor.exe
PID 2104 wrote to memory of 116	2104	metafor.exe	schtasks.exe
PID 2104 wrote to memory of 116	2104	metafor.exe	schtasks.exe
PID 2104 wrote to memory of 116	2104	metafor.exe	schtasks.exe
PID 2104 wrote to memory of 2360	2104	metafor.exe	cmd.exe
PID 2104 wrote to memory of 2360	2104	metafor.exe	cmd.exe
PID 2104 wrote to memory of 2360	2104	metafor.exe	cmd.exe
PID 2360 wrote to memory of 3484	2360	cmd.exe	cmd.exe
PID 2360 wrote to memory of 3484	2360	cmd.exe	cmd.exe
PID 2360 wrote to memory of 3484	2360	cmd.exe	cmd.exe
PID 2360 wrote to memory of 1552	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 1552	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 1552	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2844	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2844	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2844	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2076	2360	cmd.exe	cmd.exe
PID 2360 wrote to memory of 2076	2360	cmd.exe	cmd.exe
PID 2360 wrote to memory of 2076	2360	cmd.exe	cmd.exe
PID 2360 wrote to memory of 2996	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2996	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2996	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2692	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2692	2360	cmd.exe	cacls.exe
PID 2360 wrote to memory of 2692	2360	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe
"C:\Users\Admin\AppData\Local\Temp\09b098f27500ac1e91b8ed2ea0e4d1d844cdbbd23f5b00bc97b3d555a570c3c1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1080
6⤵
- Program crash
PID:2828

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1324
5⤵
- Program crash
PID:1540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3484

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:1552

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2076

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:2996

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 480
2⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4908 -ip 4908
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1800 -ip 1800
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2636 -ip 2636
1⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
Filesize
844KB

MD5
5141c74fb0e966593d9f9ffedbac0b0a

SHA1
946a9eb50ba654837f75b601eeaa317183f20c2c

SHA256
8ec4f1f1f5caa93c49c291ce1f14e96c14f1e3a9e0204514ad004dcd6fed55fd

SHA512
29826a6c176b8004d0533b5cd75b663df71f9c6216d051e8f926b3daad650795622c20cd54797fdf595beca52bbeb6523884ae24543bb8e730b9ebc0b7093cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
Filesize
844KB

MD5
5141c74fb0e966593d9f9ffedbac0b0a

SHA1
946a9eb50ba654837f75b601eeaa317183f20c2c

SHA256
8ec4f1f1f5caa93c49c291ce1f14e96c14f1e3a9e0204514ad004dcd6fed55fd

SHA512
29826a6c176b8004d0533b5cd75b663df71f9c6216d051e8f926b3daad650795622c20cd54797fdf595beca52bbeb6523884ae24543bb8e730b9ebc0b7093cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
Filesize
175KB

MD5
478e884952392c14b85cca1a6a4f3e35

SHA1
f3475db1427fec3eedf583f1b7b0f839b27f8d74

SHA256
bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413

SHA512
b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
Filesize
175KB

MD5
478e884952392c14b85cca1a6a4f3e35

SHA1
f3475db1427fec3eedf583f1b7b0f839b27f8d74

SHA256
bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413

SHA512
b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
Filesize
702KB

MD5
3c59b877d484dc8a12b5a96e78747f04

SHA1
0c49aaf2228f0281d657194fced2c56ad05b9e5a

SHA256
d1b9b8da47fc3dc59d9f44aa5f7c6ff3c14bd4bd4ccd27296ffb049299e7b7d3

SHA512
5452d444590111c684aca4147671370caa04a3c4cc29212e93594fa5a0483c43473c5da2ecdc47939e038de62ef35d21d0d6201bee91713d09505f8ba36aadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
Filesize
702KB

MD5
3c59b877d484dc8a12b5a96e78747f04

SHA1
0c49aaf2228f0281d657194fced2c56ad05b9e5a

SHA256
d1b9b8da47fc3dc59d9f44aa5f7c6ff3c14bd4bd4ccd27296ffb049299e7b7d3

SHA512
5452d444590111c684aca4147671370caa04a3c4cc29212e93594fa5a0483c43473c5da2ecdc47939e038de62ef35d21d0d6201bee91713d09505f8ba36aadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
Filesize
395KB

MD5
e25387fb916a34d4affe07ade28d8455

SHA1
b5bb0ac2c95612be258c13f03718e33ac07f508a

SHA256
db9c125de03bc9f7a939cbed3d5b4c78a8b3cf58a1fb95c588a9b6644abcae80

SHA512
4fe8bedbb69141284d61a765023422d1a570f15a66144f03f5e3977839dd14dafaa7c9e05845acb56c385742ad46d1cf79792dc01fec40c88b201d9d5c2bd789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
Filesize
395KB

MD5
e25387fb916a34d4affe07ade28d8455

SHA1
b5bb0ac2c95612be258c13f03718e33ac07f508a

SHA256
db9c125de03bc9f7a939cbed3d5b4c78a8b3cf58a1fb95c588a9b6644abcae80

SHA512
4fe8bedbb69141284d61a765023422d1a570f15a66144f03f5e3977839dd14dafaa7c9e05845acb56c385742ad46d1cf79792dc01fec40c88b201d9d5c2bd789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
Filesize
348KB

MD5
1efa83425eabab9a22fbe7729b0152ae

SHA1
819eb1db62529387bc29f5e06f665cea513cfe28

SHA256
0e22f456ec421185445bcea21c2f9c9be7b980dc99a98a33f65396b7c1b2bf90

SHA512
3bcc1baa1e85fe455be3511040e0588999f99d49d830327b56b5309a4c19aaf71631fb8457fb8eb9f55a4d91460273482b9d7936bcdef64e8493e1e2b0b0f5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
Filesize
348KB

MD5
1efa83425eabab9a22fbe7729b0152ae

SHA1
819eb1db62529387bc29f5e06f665cea513cfe28

SHA256
0e22f456ec421185445bcea21c2f9c9be7b980dc99a98a33f65396b7c1b2bf90

SHA512
3bcc1baa1e85fe455be3511040e0588999f99d49d830327b56b5309a4c19aaf71631fb8457fb8eb9f55a4d91460273482b9d7936bcdef64e8493e1e2b0b0f5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
Filesize
338KB

MD5
5cd6b1f2c41d7a661c6df2e1b21f36c4

SHA1
4e491407a4fa3cb2141ac1e53add2d2e6eaa87c7

SHA256
92fdfed7ca6e16c859119ff3f2cc57f05e1f2ce56593f9e77af55edbdfb2559e

SHA512
490ed23ef3b20e77e6fe3fc7963c1299770b4ebc0f9b9fba543faac27cbbe3ad64ec21687871b4ba0858ca07234193227f6c166703716633eedb7295c0e5ea6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
Filesize
338KB

MD5
5cd6b1f2c41d7a661c6df2e1b21f36c4

SHA1
4e491407a4fa3cb2141ac1e53add2d2e6eaa87c7

SHA256
92fdfed7ca6e16c859119ff3f2cc57f05e1f2ce56593f9e77af55edbdfb2559e

SHA512
490ed23ef3b20e77e6fe3fc7963c1299770b4ebc0f9b9fba543faac27cbbe3ad64ec21687871b4ba0858ca07234193227f6c166703716633eedb7295c0e5ea6b

Download Submit
memory/1800-1127-0x0000000007210000-0x0000000007222000-memory.dmp

Filesize
72KB

Download
memory/1800-1135-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1800-1142-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1800-1140-0x0000000008DD0000-0x00000000092FC000-memory.dmp

Filesize
5.2MB

Download
memory/1800-1139-0x0000000008C00000-0x0000000008DC2000-memory.dmp

Filesize
1.8MB

Download
memory/1800-1137-0x0000000008B80000-0x0000000008BD0000-memory.dmp

Filesize
320KB

Download
memory/1800-1136-0x0000000008AF0000-0x0000000008B66000-memory.dmp

Filesize
472KB

Download
memory/1800-1134-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1800-1133-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1800-1132-0x00000000082B0000-0x0000000008316000-memory.dmp

Filesize
408KB

Download
memory/1800-1131-0x0000000008210000-0x00000000082A2000-memory.dmp

Filesize
584KB

Download
memory/1800-1129-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1800-1128-0x0000000007F20000-0x0000000007F5C000-memory.dmp

Filesize
240KB

Download
memory/1800-1126-0x0000000007E10000-0x0000000007F1A000-memory.dmp

Filesize
1.0MB

Download
memory/1800-1125-0x00000000077F0000-0x0000000007E08000-memory.dmp

Filesize
6.1MB

Download
memory/1800-248-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1800-249-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-245-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1800-247-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1800-214-0x0000000002BF0000-0x0000000002C3B000-memory.dmp

Filesize
300KB

Download
memory/1800-215-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-216-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-218-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-220-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-222-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-224-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-226-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-228-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-230-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-232-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-234-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-236-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-238-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-240-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-242-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/1800-244-0x0000000007110000-0x000000000714E000-memory.dmp

Filesize
248KB

Download
memory/2636-134-0x0000000004B20000-0x0000000004C22000-memory.dmp

Filesize
1.0MB

Download
memory/2636-164-0x0000000000400000-0x0000000002BE2000-memory.dmp

Filesize
39.9MB

Download
memory/2636-165-0x0000000004B20000-0x0000000004C22000-memory.dmp

Filesize
1.0MB

Download
memory/4040-163-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/4908-192-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-186-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-206-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4908-204-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/4908-202-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-200-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-198-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-196-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-194-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-184-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-178-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-190-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-188-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-205-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4908-182-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-176-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-175-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-180-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/4908-209-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/4908-174-0x0000000007180000-0x0000000007724000-memory.dmp

Filesize
5.6MB

Download
memory/4908-173-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4908-172-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4908-171-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/4908-207-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4992-1148-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/4992-1147-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

Filesize
200KB

Download