amadey | 57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf

Analysis

max time kernel
102s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe
Size

1023KB
MD5

9a299bff53894927378df3e917d63e91
SHA1

651c7f71335f90fefc4f6183a66405d4b01b5c3b
SHA256

57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf
SHA512

1d5309c1c8f9ad60215f1c3e43f88f0d33c5eec20ff07a71fee121a48727a9281177d1b75c50560536512c3ef3c19419c95b91f7308abcebae77129bf52d9066
SSDEEP

24576:EyeEZ07/9xuy1tS+V2Gl4/Fc6hjHCFDxybZaLyp/anGap/v0NugTd8yRC:Tr07/9xuy10+KFc6UDx4ULnGW0IO

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor4494.exebus1308.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor4494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus1308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus1308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor4494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor4494.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor4494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor4494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor4494.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus1308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus1308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus1308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus1308.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4432-210-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-211-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-213-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-215-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-217-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-219-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-221-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-223-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-225-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-227-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-229-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-231-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-233-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-235-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-237-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-239-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-241-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-243-0x00000000028A0000-0x00000000028DE000-memory.dmp	family_redline
behavioral1/memory/4432-1133-0x0000000004E50000-0x0000000004E60000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge047675.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge047675.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino2262.exekino7568.exekino3592.exebus1308.execor4494.exedkm57s65.exeen053164.exege047675.exemetafor.exemetafor.exe

pid	process
1304	kino2262.exe
1920	kino7568.exe
3148	kino3592.exe
2852	bus1308.exe
4468	cor4494.exe
4432	dkm57s65.exe
2760	en053164.exe
4544	ge047675.exe
2836	metafor.exe
2900	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor4494.exebus1308.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor4494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor4494.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus1308.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exekino2262.exekino7568.exekino3592.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2262.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino2262.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino7568.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino3592.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3268 4468 WerFault.exe cor4494.exe
4928 4432 WerFault.exe dkm57s65.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

692 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus1308.execor4494.exedkm57s65.exeen053164.exe

pid process

2852 bus1308.exe
2852 bus1308.exe
4468 cor4494.exe
4468 cor4494.exe
4432 dkm57s65.exe
4432 dkm57s65.exe
2760 en053164.exe
2760 en053164.exe

pid	pid_target	process	target process
3268	4468	WerFault.exe	cor4494.exe
4928	4432	WerFault.exe	dkm57s65.exe

pid	process
692	schtasks.exe

pid	process
2852	bus1308.exe
2852	bus1308.exe
4468	cor4494.exe
4468	cor4494.exe
4432	dkm57s65.exe
4432	dkm57s65.exe
2760	en053164.exe
2760	en053164.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus1308.execor4494.exedkm57s65.exeen053164.exe

description	pid	process
Token: SeDebugPrivilege	2852	bus1308.exe
Token: SeDebugPrivilege	4468	cor4494.exe
Token: SeDebugPrivilege	4432	dkm57s65.exe
Token: SeDebugPrivilege	2760	en053164.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exekino2262.exekino7568.exekino3592.exege047675.exemetafor.execmd.exe

description	pid	process	target process
PID 2312 wrote to memory of 1304	2312	57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe	kino2262.exe
PID 2312 wrote to memory of 1304	2312	57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe	kino2262.exe
PID 2312 wrote to memory of 1304	2312	57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe	kino2262.exe
PID 1304 wrote to memory of 1920	1304	kino2262.exe	kino7568.exe
PID 1304 wrote to memory of 1920	1304	kino2262.exe	kino7568.exe
PID 1304 wrote to memory of 1920	1304	kino2262.exe	kino7568.exe
PID 1920 wrote to memory of 3148	1920	kino7568.exe	kino3592.exe
PID 1920 wrote to memory of 3148	1920	kino7568.exe	kino3592.exe
PID 1920 wrote to memory of 3148	1920	kino7568.exe	kino3592.exe
PID 3148 wrote to memory of 2852	3148	kino3592.exe	bus1308.exe
PID 3148 wrote to memory of 2852	3148	kino3592.exe	bus1308.exe
PID 3148 wrote to memory of 4468	3148	kino3592.exe	cor4494.exe
PID 3148 wrote to memory of 4468	3148	kino3592.exe	cor4494.exe
PID 3148 wrote to memory of 4468	3148	kino3592.exe	cor4494.exe
PID 1920 wrote to memory of 4432	1920	kino7568.exe	dkm57s65.exe
PID 1920 wrote to memory of 4432	1920	kino7568.exe	dkm57s65.exe
PID 1920 wrote to memory of 4432	1920	kino7568.exe	dkm57s65.exe
PID 1304 wrote to memory of 2760	1304	kino2262.exe	en053164.exe
PID 1304 wrote to memory of 2760	1304	kino2262.exe	en053164.exe
PID 1304 wrote to memory of 2760	1304	kino2262.exe	en053164.exe
PID 2312 wrote to memory of 4544	2312	57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe	ge047675.exe
PID 2312 wrote to memory of 4544	2312	57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe	ge047675.exe
PID 2312 wrote to memory of 4544	2312	57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe	ge047675.exe
PID 4544 wrote to memory of 2836	4544	ge047675.exe	metafor.exe
PID 4544 wrote to memory of 2836	4544	ge047675.exe	metafor.exe
PID 4544 wrote to memory of 2836	4544	ge047675.exe	metafor.exe
PID 2836 wrote to memory of 692	2836	metafor.exe	schtasks.exe
PID 2836 wrote to memory of 692	2836	metafor.exe	schtasks.exe
PID 2836 wrote to memory of 692	2836	metafor.exe	schtasks.exe
PID 2836 wrote to memory of 548	2836	metafor.exe	cmd.exe
PID 2836 wrote to memory of 548	2836	metafor.exe	cmd.exe
PID 2836 wrote to memory of 548	2836	metafor.exe	cmd.exe
PID 548 wrote to memory of 3896	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 3896	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 3896	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 3148	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 3148	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 3148	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 624	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 624	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 624	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 4972	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 4972	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 4972	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 2748	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 2748	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 2748	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 3196	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 3196	548	cmd.exe	cacls.exe
PID 548 wrote to memory of 3196	548	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe
"C:\Users\Admin\AppData\Local\Temp\57defea07e9e9d2ca61dda15106df6d1dbf06e7519cc6ca427849edd9373a1cf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2262.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2262.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7568.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7568.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3592.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3592.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1308.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1308.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4494.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4494.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1084
        6⤵
        Program crash
        
        PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkm57s65.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkm57s65.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1332
        5⤵
        Program crash
        
        PID:4928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en053164.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en053164.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge047675.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge047675.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3896
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:3148
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4468 -ip 4468
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4432 -ip 4432
1⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge047675.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge047675.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2262.exe

Filesize
842KB

MD5
98dc739e71e11db904bb4c155ec45564

SHA1
205380bc5466707ed7d82c71ef37508dc6debe92

SHA256
44fd9158c8023ccf3c70492d3523f1d313f026597610dde1afd2d77ac4574d71

SHA512
e8fe5bc68f8e67248ad4899769510a75e5792b8e8a77c6c54a042ed449433c34dfc4de09b7acf878f8e98d26c253baca287eeeaa9a7f258bbce7f40f7de354af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2262.exe

Filesize
842KB

MD5
98dc739e71e11db904bb4c155ec45564

SHA1
205380bc5466707ed7d82c71ef37508dc6debe92

SHA256
44fd9158c8023ccf3c70492d3523f1d313f026597610dde1afd2d77ac4574d71

SHA512
e8fe5bc68f8e67248ad4899769510a75e5792b8e8a77c6c54a042ed449433c34dfc4de09b7acf878f8e98d26c253baca287eeeaa9a7f258bbce7f40f7de354af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en053164.exe

Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en053164.exe

Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7568.exe

Filesize
700KB

MD5
83ae90cdbe90521470a1c1653e1d9baa

SHA1
4ff70b7d336bab3b12ef36c3822bd96126b9afb9

SHA256
455db5adaed62c6cc5eb0071e1f7a5f5d4bdb35909892eb3db852547d941bc25

SHA512
8ebc63f0bbe1e46960406cdaa12e3c9dc17e26a9cca9dbdc3d815414746f46b27508e84e07ad6d7674499c286bea64008292c64da8313d19b6ac56d159a9dff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7568.exe

Filesize
700KB

MD5
83ae90cdbe90521470a1c1653e1d9baa

SHA1
4ff70b7d336bab3b12ef36c3822bd96126b9afb9

SHA256
455db5adaed62c6cc5eb0071e1f7a5f5d4bdb35909892eb3db852547d941bc25

SHA512
8ebc63f0bbe1e46960406cdaa12e3c9dc17e26a9cca9dbdc3d815414746f46b27508e84e07ad6d7674499c286bea64008292c64da8313d19b6ac56d159a9dff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkm57s65.exe

Filesize
358KB

MD5
1eb3d1a14b6cf1cb376a3f1e7560a182

SHA1
da4ebe8792d9a26ab880842524cdec91e5044e76

SHA256
d69c872803f1545490589d61d7c9f1f0addd07b0df6729a3263b4c8b56a87c69

SHA512
9bad2b527eed5b8c6e844882fb5ca216239dd50d416cb63246048930a5fc7c7c0d79952d78248aba43ca5acaf60583e1776d5e0b06bbab20093c6f83360ad8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkm57s65.exe

Filesize
358KB

MD5
1eb3d1a14b6cf1cb376a3f1e7560a182

SHA1
da4ebe8792d9a26ab880842524cdec91e5044e76

SHA256
d69c872803f1545490589d61d7c9f1f0addd07b0df6729a3263b4c8b56a87c69

SHA512
9bad2b527eed5b8c6e844882fb5ca216239dd50d416cb63246048930a5fc7c7c0d79952d78248aba43ca5acaf60583e1776d5e0b06bbab20093c6f83360ad8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3592.exe

Filesize
347KB

MD5
dd0a9e24c89dbd69d18b3a8434a64eeb

SHA1
13d532c337e35323a68dcabfa543d4d22487d4c2

SHA256
b180358e4c2c6028bc8d3e8d5c4a4c0c7c4078e40c3e8ba34b51638076c53744

SHA512
6068cf239bbc9209c02c1c3c06b6d342123ac34564ba2112f99a406b4837d0db8f940fd7963c05cfbdc7eea25a338d495c6ea4ff328dc5b1f4ae0302d9161a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3592.exe

Filesize
347KB

MD5
dd0a9e24c89dbd69d18b3a8434a64eeb

SHA1
13d532c337e35323a68dcabfa543d4d22487d4c2

SHA256
b180358e4c2c6028bc8d3e8d5c4a4c0c7c4078e40c3e8ba34b51638076c53744

SHA512
6068cf239bbc9209c02c1c3c06b6d342123ac34564ba2112f99a406b4837d0db8f940fd7963c05cfbdc7eea25a338d495c6ea4ff328dc5b1f4ae0302d9161a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1308.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1308.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4494.exe

Filesize
300KB

MD5
4e30e7ef970ff5d2a6ab3f8d14aefe19

SHA1
0e8516f6ccb06a218df04586bcd58cd9dc8d800a

SHA256
29a5d35edeb220b12fefa846768b5be1393e4547ed47a877494483c220f4ec50

SHA512
95a3c2308242ae2dd983de628dabd96fbd8199c13b77510d2592e3d3e5c1c729de36d745b0db1860cfd9775fe039be682127aa934d83e5489927d6498d3e66ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4494.exe

Filesize
300KB

MD5
4e30e7ef970ff5d2a6ab3f8d14aefe19

SHA1
0e8516f6ccb06a218df04586bcd58cd9dc8d800a

SHA256
29a5d35edeb220b12fefa846768b5be1393e4547ed47a877494483c220f4ec50

SHA512
95a3c2308242ae2dd983de628dabd96fbd8199c13b77510d2592e3d3e5c1c729de36d745b0db1860cfd9775fe039be682127aa934d83e5489927d6498d3e66ae

Download Submit
memory/2760-1141-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2760-1140-0x0000000000350000-0x0000000000382000-memory.dmp

Filesize
200KB

Download
memory/2852-161-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/4432-1123-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4432-241-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-1134-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4432-1132-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4432-1133-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4432-1131-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4432-1130-0x0000000006B10000-0x000000000703C000-memory.dmp

Filesize
5.2MB

Download
memory/4432-1129-0x0000000006900000-0x0000000006AC2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-1127-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/4432-1126-0x00000000066F0000-0x0000000006766000-memory.dmp

Filesize
472KB

Download
memory/4432-1125-0x0000000006600000-0x0000000006692000-memory.dmp

Filesize
584KB

Download
memory/4432-1124-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/4432-1122-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4432-1121-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4432-1120-0x0000000005B30000-0x0000000005C3A000-memory.dmp

Filesize
1.0MB

Download
memory/4432-210-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-211-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-213-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-215-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-217-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-219-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-221-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-223-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-225-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-227-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-229-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-231-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-233-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-235-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-237-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-239-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-1119-0x0000000005510000-0x0000000005B28000-memory.dmp

Filesize
6.1MB

Download
memory/4432-243-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/4432-393-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4432-391-0x0000000002220000-0x000000000226B000-memory.dmp

Filesize
300KB

Download
memory/4432-395-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4468-196-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-184-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-190-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-205-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4468-194-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-204-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4468-203-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4468-192-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4468-199-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4468-198-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4468-197-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4468-188-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-186-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-202-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4468-182-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-180-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-178-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-176-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-174-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-172-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-169-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-170-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4468-168-0x0000000005050000-0x00000000055F4000-memory.dmp

Filesize
5.6MB

Download
memory/4468-167-0x0000000000890000-0x00000000008BD000-memory.dmp

Filesize
180KB

Download