amadey | 291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe
Size

1.0MB
MD5

9048861208c7b807ad9098e45f31ed31
SHA1

555da5c963de3841e73fe020f4011c93077f680d
SHA256

291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28
SHA512

095c9f02cc27295292d2642bd6e5ce7725be6c35bd7a3873c1a867dfebae655cc215f55a94cf9b14c3974835797324228a211bfd9b447a3016325570b48a9c18
SSDEEP

24576:nyYi3anc5QNJYIv6WasngknXq+Uk/UhaUZRG51mWTTwz:yYiKUSY/Wasfa+Ue2ZZg5EW

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus4025.execor3945.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus4025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus4025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus4025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor3945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor3945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor3945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus4025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus4025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus4025.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor3945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor3945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor3945.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2732-209-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-212-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-210-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-214-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-218-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-221-0x0000000004D00000-0x0000000004D10000-memory.dmp	family_redline
behavioral1/memory/2732-222-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-224-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-226-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-228-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-230-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-232-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-234-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-236-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-238-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-240-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-242-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-244-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline
behavioral1/memory/2732-246-0x00000000052C0000-0x00000000052FE000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge193935.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge193935.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino8844.exekino6545.exekino7759.exebus4025.execor3945.exedzf81s04.exeen776856.exege193935.exemetafor.exemetafor.exemetafor.exe

pid	process
2612	kino8844.exe
1344	kino6545.exe
4852	kino7759.exe
3988	bus4025.exe
1308	cor3945.exe
2732	dzf81s04.exe
4736	en776856.exe
2576	ge193935.exe
4044	metafor.exe
1388	metafor.exe
2928	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus4025.execor3945.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus4025.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor3945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor3945.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino6545.exekino7759.exe291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exekino8844.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6545.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino6545.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino7759.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8844.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino8844.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1936 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4632 1308 WerFault.exe cor3945.exe
1272 2732 WerFault.exe dzf81s04.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3464 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus4025.execor3945.exedzf81s04.exeen776856.exe

pid process

3988 bus4025.exe
3988 bus4025.exe
1308 cor3945.exe
1308 cor3945.exe
2732 dzf81s04.exe
2732 dzf81s04.exe
4736 en776856.exe
4736 en776856.exe

pid	process
1936	sc.exe

pid	pid_target	process	target process
4632	1308	WerFault.exe	cor3945.exe
1272	2732	WerFault.exe	dzf81s04.exe

pid	process
3464	schtasks.exe

pid	process
3988	bus4025.exe
3988	bus4025.exe
1308	cor3945.exe
1308	cor3945.exe
2732	dzf81s04.exe
2732	dzf81s04.exe
4736	en776856.exe
4736	en776856.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus4025.execor3945.exedzf81s04.exeen776856.exe

description	pid	process
Token: SeDebugPrivilege	3988	bus4025.exe
Token: SeDebugPrivilege	1308	cor3945.exe
Token: SeDebugPrivilege	2732	dzf81s04.exe
Token: SeDebugPrivilege	4736	en776856.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exekino8844.exekino6545.exekino7759.exege193935.exemetafor.execmd.exe

description	pid	process	target process
PID 4160 wrote to memory of 2612	4160	291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe	kino8844.exe
PID 4160 wrote to memory of 2612	4160	291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe	kino8844.exe
PID 4160 wrote to memory of 2612	4160	291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe	kino8844.exe
PID 2612 wrote to memory of 1344	2612	kino8844.exe	kino6545.exe
PID 2612 wrote to memory of 1344	2612	kino8844.exe	kino6545.exe
PID 2612 wrote to memory of 1344	2612	kino8844.exe	kino6545.exe
PID 1344 wrote to memory of 4852	1344	kino6545.exe	kino7759.exe
PID 1344 wrote to memory of 4852	1344	kino6545.exe	kino7759.exe
PID 1344 wrote to memory of 4852	1344	kino6545.exe	kino7759.exe
PID 4852 wrote to memory of 3988	4852	kino7759.exe	bus4025.exe
PID 4852 wrote to memory of 3988	4852	kino7759.exe	bus4025.exe
PID 4852 wrote to memory of 1308	4852	kino7759.exe	cor3945.exe
PID 4852 wrote to memory of 1308	4852	kino7759.exe	cor3945.exe
PID 4852 wrote to memory of 1308	4852	kino7759.exe	cor3945.exe
PID 1344 wrote to memory of 2732	1344	kino6545.exe	dzf81s04.exe
PID 1344 wrote to memory of 2732	1344	kino6545.exe	dzf81s04.exe
PID 1344 wrote to memory of 2732	1344	kino6545.exe	dzf81s04.exe
PID 2612 wrote to memory of 4736	2612	kino8844.exe	en776856.exe
PID 2612 wrote to memory of 4736	2612	kino8844.exe	en776856.exe
PID 2612 wrote to memory of 4736	2612	kino8844.exe	en776856.exe
PID 4160 wrote to memory of 2576	4160	291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe	ge193935.exe
PID 4160 wrote to memory of 2576	4160	291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe	ge193935.exe
PID 4160 wrote to memory of 2576	4160	291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe	ge193935.exe
PID 2576 wrote to memory of 4044	2576	ge193935.exe	metafor.exe
PID 2576 wrote to memory of 4044	2576	ge193935.exe	metafor.exe
PID 2576 wrote to memory of 4044	2576	ge193935.exe	metafor.exe
PID 4044 wrote to memory of 3464	4044	metafor.exe	schtasks.exe
PID 4044 wrote to memory of 3464	4044	metafor.exe	schtasks.exe
PID 4044 wrote to memory of 3464	4044	metafor.exe	schtasks.exe
PID 4044 wrote to memory of 900	4044	metafor.exe	cmd.exe
PID 4044 wrote to memory of 900	4044	metafor.exe	cmd.exe
PID 4044 wrote to memory of 900	4044	metafor.exe	cmd.exe
PID 900 wrote to memory of 4564	900	cmd.exe	cmd.exe
PID 900 wrote to memory of 4564	900	cmd.exe	cmd.exe
PID 900 wrote to memory of 4564	900	cmd.exe	cmd.exe
PID 900 wrote to memory of 3048	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 3048	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 3048	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 3984	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 3984	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 3984	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 2148	900	cmd.exe	cmd.exe
PID 900 wrote to memory of 2148	900	cmd.exe	cmd.exe
PID 900 wrote to memory of 2148	900	cmd.exe	cmd.exe
PID 900 wrote to memory of 5016	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 5016	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 5016	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 4916	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 4916	900	cmd.exe	cacls.exe
PID 900 wrote to memory of 4916	900	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe
"C:\Users\Admin\AppData\Local\Temp\291f9d79ad13aa6af22c4bce9894faec111d7f2c0ad293ec7eedbcefdcc71b28.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8844.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8844.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6545.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6545.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7759.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7759.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4025.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4025.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3945.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3945.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1080
6⤵
- Program crash
PID:4632

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dzf81s04.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dzf81s04.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1936
5⤵
- Program crash
PID:1272

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en776856.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en776856.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge193935.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge193935.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4564

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:3048

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2148

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1308 -ip 1308
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2732 -ip 2732
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge193935.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge193935.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8844.exe
Filesize
842KB

MD5
133502e53091fd13cb086f99e0a79c62

SHA1
242d9899190a3ed130a199a531ec553137042ad5

SHA256
26123c773cc642982d256d3615e575203a85881ad6395ee9dfc2dd3740176e43

SHA512
1c305d154ca81c198fde65d5e98e3bece91da52f201d48acd3bf4f309e2911be8958a65f4ea6194212751c2cedb2ee7d81157fd1146205b2c8ce4391931d6296

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8844.exe
Filesize
842KB

MD5
133502e53091fd13cb086f99e0a79c62

SHA1
242d9899190a3ed130a199a531ec553137042ad5

SHA256
26123c773cc642982d256d3615e575203a85881ad6395ee9dfc2dd3740176e43

SHA512
1c305d154ca81c198fde65d5e98e3bece91da52f201d48acd3bf4f309e2911be8958a65f4ea6194212751c2cedb2ee7d81157fd1146205b2c8ce4391931d6296

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en776856.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en776856.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6545.exe
Filesize
700KB

MD5
93fd19da690d1ca2153bc4111c59353d

SHA1
2710775f76b2f2522daf98eb3214aeabd1d8bce7

SHA256
7607a2d5c26144fe4c58cbff451a043954aa27c49988df531438f5d3f24982d9

SHA512
0e82d43bc532951ddf83c9f919a0c42bb566ebe8bf3b082859e98fcbe6660b3f97757eee7202e87f283ad10d07e6aacc909df76ed914cd80995fa08fb5c18931

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6545.exe
Filesize
700KB

MD5
93fd19da690d1ca2153bc4111c59353d

SHA1
2710775f76b2f2522daf98eb3214aeabd1d8bce7

SHA256
7607a2d5c26144fe4c58cbff451a043954aa27c49988df531438f5d3f24982d9

SHA512
0e82d43bc532951ddf83c9f919a0c42bb566ebe8bf3b082859e98fcbe6660b3f97757eee7202e87f283ad10d07e6aacc909df76ed914cd80995fa08fb5c18931

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dzf81s04.exe
Filesize
358KB

MD5
916636a091950fdc7a67f2fccf94fe8d

SHA1
92dd9483837b854c88d5afcb2451c3cb6bcf54e4

SHA256
0ec34962610fe2496d0720612066c736572e3811622f65288e5a4d5f27bd9717

SHA512
3b3a122113f4ffc166d140990b21adbf6fcee211272f6bc8b8562673de11c5eeaa12df6daff093f43cc82f260a7910c3dde5e228244feb3722d5046638a61f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dzf81s04.exe
Filesize
358KB

MD5
916636a091950fdc7a67f2fccf94fe8d

SHA1
92dd9483837b854c88d5afcb2451c3cb6bcf54e4

SHA256
0ec34962610fe2496d0720612066c736572e3811622f65288e5a4d5f27bd9717

SHA512
3b3a122113f4ffc166d140990b21adbf6fcee211272f6bc8b8562673de11c5eeaa12df6daff093f43cc82f260a7910c3dde5e228244feb3722d5046638a61f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7759.exe
Filesize
347KB

MD5
a7784347ae8cf06cbc7f8b455441021e

SHA1
b4d9e4ddb628ac5a06c08abee9c4e0d97f4a066a

SHA256
35c56061f15cab6611f13bd473bd8327e40d039d990d9ffe653271eff85ba157

SHA512
6374080453c177f289834264483ccf9850ea73bf667554e89ae2fe53498c10b7b4236506951ff4065d4a29c469c81fa2e33102546f6d253b9dd41c70dd697d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7759.exe
Filesize
347KB

MD5
a7784347ae8cf06cbc7f8b455441021e

SHA1
b4d9e4ddb628ac5a06c08abee9c4e0d97f4a066a

SHA256
35c56061f15cab6611f13bd473bd8327e40d039d990d9ffe653271eff85ba157

SHA512
6374080453c177f289834264483ccf9850ea73bf667554e89ae2fe53498c10b7b4236506951ff4065d4a29c469c81fa2e33102546f6d253b9dd41c70dd697d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4025.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4025.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3945.exe
Filesize
300KB

MD5
f12a3a36bb110662755c8fe1f4c2104e

SHA1
48cdc5eee92ad5ac712053f49085944f723fd701

SHA256
4a2a7eb36570d1d81e04842afbbee693f49332f0a54b87ed99db2ecb3c7efb1e

SHA512
9c65f44382de2bcc73a65868c1cc69178795a015f3870b3365aa6e6647d2b833e99190e0aaedfd77e3504461870258803d54412246d8ae5b6147853f7ab37f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3945.exe
Filesize
300KB

MD5
f12a3a36bb110662755c8fe1f4c2104e

SHA1
48cdc5eee92ad5ac712053f49085944f723fd701

SHA256
4a2a7eb36570d1d81e04842afbbee693f49332f0a54b87ed99db2ecb3c7efb1e

SHA512
9c65f44382de2bcc73a65868c1cc69178795a015f3870b3365aa6e6647d2b833e99190e0aaedfd77e3504461870258803d54412246d8ae5b6147853f7ab37f25

Download Submit
memory/1308-177-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-197-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-179-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-181-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-183-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-185-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-187-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-189-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-191-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-193-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-195-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-175-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-199-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1308-201-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/1308-202-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/1308-204-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1308-173-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-172-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1308-171-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/1308-170-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/1308-169-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/1308-168-0x0000000000880000-0x00000000008AD000-memory.dmp

Filesize
180KB

Download
memory/1308-167-0x0000000004E50000-0x00000000053F4000-memory.dmp

Filesize
5.6MB

Download
memory/2732-214-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-1123-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2732-222-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-224-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-226-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-228-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-230-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-232-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-234-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-236-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-238-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-240-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-242-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-244-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-246-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-1119-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/2732-1120-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2732-1121-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/2732-1122-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/2732-221-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2732-1124-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/2732-1125-0x0000000006610000-0x00000000066A2000-memory.dmp

Filesize
584KB

Download
memory/2732-1126-0x00000000067F0000-0x0000000006866000-memory.dmp

Filesize
472KB

Download
memory/2732-1127-0x0000000006880000-0x00000000068D0000-memory.dmp

Filesize
320KB

Download
memory/2732-1129-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2732-1130-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2732-1131-0x0000000006900000-0x0000000006AC2000-memory.dmp

Filesize
1.8MB

Download
memory/2732-1132-0x0000000006AD0000-0x0000000006FFC000-memory.dmp

Filesize
5.2MB

Download
memory/2732-1134-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2732-209-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-212-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-210-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-217-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2732-219-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2732-218-0x00000000052C0000-0x00000000052FE000-memory.dmp

Filesize
248KB

Download
memory/2732-215-0x0000000002380000-0x00000000023CB000-memory.dmp

Filesize
300KB

Download
memory/3988-161-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/4736-1140-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/4736-1139-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download