amadey | 9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe
Size

1019KB
MD5

6ecbd11706ff001ae93d8d067d94f23a
SHA1

ee2b6a70e1b0712711251a44aea7ab835970ff31
SHA256

9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f
SHA512

4e48b2002172edbf494ec3d50177f96743d30131b6b25946d5e9d2721b53146c42fa9d8432f80b97c782e3e4cb70acc5e60bf7744e65fd0b50deccffaf76f57e
SSDEEP

24576:hy+Zo9Dfj6FPkFOiIKkHn0DhMgfsFBG4MkJ:U+ZKvDAiqn0Dh2zG4

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus6326.execor7974.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus6326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus6326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus6326.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus6326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus6326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus6326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor7974.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3692-210-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-211-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-213-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-215-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-218-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-222-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-224-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-226-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-228-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-230-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-232-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-234-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-236-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-238-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-240-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-242-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-244-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline
behavioral1/memory/3692-246-0x00000000026D0000-0x000000000270E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge112350.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge112350.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino9924.exekino3632.exekino0765.exebus6326.execor7974.exedMv58s54.exeen897736.exege112350.exemetafor.exemetafor.exe

pid	process
4564	kino9924.exe
1392	kino3632.exe
1828	kino0765.exe
2360	bus6326.exe
4828	cor7974.exe
3692	dMv58s54.exe
3616	en897736.exe
5072	ge112350.exe
1828	metafor.exe
556	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus6326.execor7974.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus6326.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor7974.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7974.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino3632.exekino0765.exe9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exekino9924.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino3632.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino0765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino0765.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9924.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino9924.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3632.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4364 4828 WerFault.exe cor7974.exe
1952 3692 WerFault.exe dMv58s54.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4452 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus6326.execor7974.exedMv58s54.exeen897736.exe

pid process

2360 bus6326.exe
2360 bus6326.exe
4828 cor7974.exe
4828 cor7974.exe
3692 dMv58s54.exe
3692 dMv58s54.exe
3616 en897736.exe
3616 en897736.exe

pid	pid_target	process	target process
4364	4828	WerFault.exe	cor7974.exe
1952	3692	WerFault.exe	dMv58s54.exe

pid	process
4452	schtasks.exe

pid	process
2360	bus6326.exe
2360	bus6326.exe
4828	cor7974.exe
4828	cor7974.exe
3692	dMv58s54.exe
3692	dMv58s54.exe
3616	en897736.exe
3616	en897736.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus6326.execor7974.exedMv58s54.exeen897736.exe

description	pid	process
Token: SeDebugPrivilege	2360	bus6326.exe
Token: SeDebugPrivilege	4828	cor7974.exe
Token: SeDebugPrivilege	3692	dMv58s54.exe
Token: SeDebugPrivilege	3616	en897736.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exekino9924.exekino3632.exekino0765.exege112350.exemetafor.execmd.exe

description	pid	process	target process
PID 3976 wrote to memory of 4564	3976	9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe	kino9924.exe
PID 3976 wrote to memory of 4564	3976	9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe	kino9924.exe
PID 3976 wrote to memory of 4564	3976	9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe	kino9924.exe
PID 4564 wrote to memory of 1392	4564	kino9924.exe	kino3632.exe
PID 4564 wrote to memory of 1392	4564	kino9924.exe	kino3632.exe
PID 4564 wrote to memory of 1392	4564	kino9924.exe	kino3632.exe
PID 1392 wrote to memory of 1828	1392	kino3632.exe	kino0765.exe
PID 1392 wrote to memory of 1828	1392	kino3632.exe	kino0765.exe
PID 1392 wrote to memory of 1828	1392	kino3632.exe	kino0765.exe
PID 1828 wrote to memory of 2360	1828	kino0765.exe	bus6326.exe
PID 1828 wrote to memory of 2360	1828	kino0765.exe	bus6326.exe
PID 1828 wrote to memory of 4828	1828	kino0765.exe	cor7974.exe
PID 1828 wrote to memory of 4828	1828	kino0765.exe	cor7974.exe
PID 1828 wrote to memory of 4828	1828	kino0765.exe	cor7974.exe
PID 1392 wrote to memory of 3692	1392	kino3632.exe	dMv58s54.exe
PID 1392 wrote to memory of 3692	1392	kino3632.exe	dMv58s54.exe
PID 1392 wrote to memory of 3692	1392	kino3632.exe	dMv58s54.exe
PID 4564 wrote to memory of 3616	4564	kino9924.exe	en897736.exe
PID 4564 wrote to memory of 3616	4564	kino9924.exe	en897736.exe
PID 4564 wrote to memory of 3616	4564	kino9924.exe	en897736.exe
PID 3976 wrote to memory of 5072	3976	9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe	ge112350.exe
PID 3976 wrote to memory of 5072	3976	9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe	ge112350.exe
PID 3976 wrote to memory of 5072	3976	9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe	ge112350.exe
PID 5072 wrote to memory of 1828	5072	ge112350.exe	metafor.exe
PID 5072 wrote to memory of 1828	5072	ge112350.exe	metafor.exe
PID 5072 wrote to memory of 1828	5072	ge112350.exe	metafor.exe
PID 1828 wrote to memory of 4452	1828	metafor.exe	schtasks.exe
PID 1828 wrote to memory of 4452	1828	metafor.exe	schtasks.exe
PID 1828 wrote to memory of 4452	1828	metafor.exe	schtasks.exe
PID 1828 wrote to memory of 1352	1828	metafor.exe	cmd.exe
PID 1828 wrote to memory of 1352	1828	metafor.exe	cmd.exe
PID 1828 wrote to memory of 1352	1828	metafor.exe	cmd.exe
PID 1352 wrote to memory of 2344	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 2344	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 2344	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 2780	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 2780	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 2780	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 2756	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 2756	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 2756	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 4932	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 4932	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 4932	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 3080	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 3080	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 3080	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 4952	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 4952	1352	cmd.exe	cacls.exe
PID 1352 wrote to memory of 4952	1352	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe
"C:\Users\Admin\AppData\Local\Temp\9333e2b50bdb21203a138b74d2acc38ba2d2e4e66741b2934baf8ba5e39beb9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9924.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9924.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3632.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3632.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0765.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0765.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus6326.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus6326.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7974.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7974.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1080
        6⤵
        Program crash
        
        PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMv58s54.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMv58s54.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1336
        5⤵
        Program crash
        
        PID:1952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en897736.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en897736.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge112350.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge112350.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4932
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:3080
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4828 -ip 4828
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3692 -ip 3692
1⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge112350.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge112350.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9924.exe

Filesize
837KB

MD5
28efa87cd78f89d2cc4b1beabb762123

SHA1
f680e020bac3c59d0a2c5eaef770ece85745e5d9

SHA256
908603e0c30815921b55c903f943cb096fddc8fb4a5e0ca9511745a7a9da36f5

SHA512
2c76590ae9deff9b523c27896f99f6f860735d6ea75966f71b882b5c32ab631634f4f8c45839f921bee92a45f678103d4dc63e0ff9c89161bde33c3a25f067bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9924.exe

Filesize
837KB

MD5
28efa87cd78f89d2cc4b1beabb762123

SHA1
f680e020bac3c59d0a2c5eaef770ece85745e5d9

SHA256
908603e0c30815921b55c903f943cb096fddc8fb4a5e0ca9511745a7a9da36f5

SHA512
2c76590ae9deff9b523c27896f99f6f860735d6ea75966f71b882b5c32ab631634f4f8c45839f921bee92a45f678103d4dc63e0ff9c89161bde33c3a25f067bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en897736.exe

Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en897736.exe

Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3632.exe

Filesize
694KB

MD5
c87ccbccd681e6613f7ba5a1c2e372ef

SHA1
6372d75b6bfb93b3d9bdb11bd16dcceaba6421fe

SHA256
84778554a8541e39ec04a5cba049e64371e9f2b30eae11526d444d08aeb5bbff

SHA512
0bfa1daf9a98a232b8802da545fab0da3dfec396081bfc4c40725f40c2f3a80d0bfcdbf096ccfc1a3e44368ecd9677292ba3ec67bf139edfe73bc955ff8d7c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3632.exe

Filesize
694KB

MD5
c87ccbccd681e6613f7ba5a1c2e372ef

SHA1
6372d75b6bfb93b3d9bdb11bd16dcceaba6421fe

SHA256
84778554a8541e39ec04a5cba049e64371e9f2b30eae11526d444d08aeb5bbff

SHA512
0bfa1daf9a98a232b8802da545fab0da3dfec396081bfc4c40725f40c2f3a80d0bfcdbf096ccfc1a3e44368ecd9677292ba3ec67bf139edfe73bc955ff8d7c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMv58s54.exe

Filesize
349KB

MD5
cefbad70ec6dfdb4b11662fba9850af5

SHA1
468b610cf479f0f410f07578f68d13f2efd6e6e8

SHA256
e782d97fa063e71c35376b70ad01924223f727cf737876dc8864195be3f60006

SHA512
f4e39058b30ce2160b2e1697d310e02b0e0ff9dcbf66f77f2353f9aa2b6639ffd37a1964c8f7156e0932aa5c2ffe4386dc7b000e6faff827f9c90bf4ec2a55b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMv58s54.exe

Filesize
349KB

MD5
cefbad70ec6dfdb4b11662fba9850af5

SHA1
468b610cf479f0f410f07578f68d13f2efd6e6e8

SHA256
e782d97fa063e71c35376b70ad01924223f727cf737876dc8864195be3f60006

SHA512
f4e39058b30ce2160b2e1697d310e02b0e0ff9dcbf66f77f2353f9aa2b6639ffd37a1964c8f7156e0932aa5c2ffe4386dc7b000e6faff827f9c90bf4ec2a55b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0765.exe

Filesize
344KB

MD5
432195f7e9ed3017da66cf2a3815cd65

SHA1
6d7e9b68342420df45ece85569a698d1419474ee

SHA256
76f5c5aeb698fe419d817a39892001e14dcd88d1dce5404e4ad6183708d5a848

SHA512
6ac00037fb1b9e2e67482caefb3e5c6bda8400221685381cd0ccfcae5a733e94318a579400c5ec40c39ec94339edc0da9478e2084a8dcf31f18265dc2f5b0d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0765.exe

Filesize
344KB

MD5
432195f7e9ed3017da66cf2a3815cd65

SHA1
6d7e9b68342420df45ece85569a698d1419474ee

SHA256
76f5c5aeb698fe419d817a39892001e14dcd88d1dce5404e4ad6183708d5a848

SHA512
6ac00037fb1b9e2e67482caefb3e5c6bda8400221685381cd0ccfcae5a733e94318a579400c5ec40c39ec94339edc0da9478e2084a8dcf31f18265dc2f5b0d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus6326.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus6326.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7974.exe

Filesize
291KB

MD5
82ebaf9acda17a1b75f9453c1b547898

SHA1
12341df19223b57c75e7a3232d8bcb50eacefe9d

SHA256
9dd09c151db6c3f4aa585b443a3275c3a6016d6b80bd3f46c348a41944384a1e

SHA512
9d4c5633f58c9ac992075ce08980f6ff1853a1e17832a6bf52f6ac2bc1a717d0eb57e8bbe1d6242ba2d3fecaa3bcbce4a6fa0e47a7960636904b230e8b22baf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7974.exe

Filesize
291KB

MD5
82ebaf9acda17a1b75f9453c1b547898

SHA1
12341df19223b57c75e7a3232d8bcb50eacefe9d

SHA256
9dd09c151db6c3f4aa585b443a3275c3a6016d6b80bd3f46c348a41944384a1e

SHA512
9d4c5633f58c9ac992075ce08980f6ff1853a1e17832a6bf52f6ac2bc1a717d0eb57e8bbe1d6242ba2d3fecaa3bcbce4a6fa0e47a7960636904b230e8b22baf3

Download Submit
memory/2360-161-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download
memory/3616-1141-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/3616-1140-0x0000000000A00000-0x0000000000A32000-memory.dmp

Filesize
200KB

Download
memory/3692-1123-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3692-238-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-1134-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3692-1133-0x00000000070E0000-0x0000000007130000-memory.dmp

Filesize
320KB

Download
memory/3692-1132-0x0000000007050000-0x00000000070C6000-memory.dmp

Filesize
472KB

Download
memory/3692-1131-0x00000000069F0000-0x0000000006F1C000-memory.dmp

Filesize
5.2MB

Download
memory/3692-1130-0x0000000006810000-0x00000000069D2000-memory.dmp

Filesize
1.8MB

Download
memory/3692-1129-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3692-1128-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3692-1127-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3692-1125-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3692-1124-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/3692-1122-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/3692-1121-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/3692-1120-0x0000000005B20000-0x0000000005C2A000-memory.dmp

Filesize
1.0MB

Download
memory/3692-210-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-211-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-213-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-215-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-216-0x00000000009C0000-0x0000000000A0B000-memory.dmp

Filesize
300KB

Download
memory/3692-219-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3692-218-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-222-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-221-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3692-224-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-226-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-228-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-230-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-232-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-234-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-236-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-1119-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/3692-240-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-242-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-244-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/3692-246-0x00000000026D0000-0x000000000270E000-memory.dmp

Filesize
248KB

Download
memory/4828-193-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-181-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-187-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-205-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4828-191-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-203-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/4828-202-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/4828-189-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-200-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4828-199-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-197-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-195-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-185-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-183-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-201-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/4828-179-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-177-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-175-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-173-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-172-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/4828-171-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/4828-170-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/4828-169-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/4828-168-0x0000000000860000-0x000000000088D000-memory.dmp

Filesize
180KB

Download
memory/4828-167-0x0000000004E20000-0x00000000053C4000-memory.dmp

Filesize
5.6MB

Download