amadey | 7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308

Analysis

max time kernel
144s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe
Size

1024KB
MD5

6d76c9f95c33fe288cc021214f9518ee
SHA1

937fc12f91cbfe6bdaa23af4711d0e04c53bcbde
SHA256

7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308
SHA512

07a132650611d628786497f9ef00395920a4cac1ab5e7f01bf58d351ccc2a69be81d5ca685c756e34fa76c112a59ac38e9e9850ec8ebb44872ac65b3c59d7667
SSDEEP

24576:5yOWxube0txPu4op7vPeXxSZmGTBGhiFmfjr0aq:sO3zxm4o9vPeBSZmMBYi2jr

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus9919.execor2783.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus9919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus9919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus9919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus9919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor2783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor2783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor2783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor2783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus9919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus9919.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor2783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor2783.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1464-210-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-211-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-214-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-218-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-221-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-217-0x0000000004E60000-0x0000000004E70000-memory.dmp	family_redline
behavioral1/memory/1464-223-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-225-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-227-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-229-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-231-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-233-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-235-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-237-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-239-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-241-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-243-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-245-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-247-0x0000000004CD0000-0x0000000004D0E000-memory.dmp	family_redline
behavioral1/memory/1464-1126-0x0000000004E60000-0x0000000004E70000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge754397.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ge754397.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino8298.exekino0357.exekino6293.exebus9919.execor2783.exedMh81s67.exeen586342.exege754397.exemetafor.exemetafor.exe

pid	process
3712	kino8298.exe
4288	kino0357.exe
4892	kino6293.exe
216	bus9919.exe
832	cor2783.exe
1464	dMh81s67.exe
2764	en586342.exe
3348	ge754397.exe
1100	metafor.exe
3980	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus9919.execor2783.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus9919.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor2783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor2783.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino0357.exekino6293.exe7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exekino8298.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino0357.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino0357.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino6293.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino8298.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4564 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3372 832 WerFault.exe cor2783.exe
2020 1464 WerFault.exe dMh81s67.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3372 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus9919.execor2783.exedMh81s67.exeen586342.exe

pid process

216 bus9919.exe
216 bus9919.exe
832 cor2783.exe
832 cor2783.exe
1464 dMh81s67.exe
1464 dMh81s67.exe
2764 en586342.exe
2764 en586342.exe

pid	process
4564	sc.exe

pid	pid_target	process	target process
3372	832	WerFault.exe	cor2783.exe
2020	1464	WerFault.exe	dMh81s67.exe

pid	process
3372	schtasks.exe

pid	process
216	bus9919.exe
216	bus9919.exe
832	cor2783.exe
832	cor2783.exe
1464	dMh81s67.exe
1464	dMh81s67.exe
2764	en586342.exe
2764	en586342.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus9919.execor2783.exedMh81s67.exeen586342.exe

description	pid	process
Token: SeDebugPrivilege	216	bus9919.exe
Token: SeDebugPrivilege	832	cor2783.exe
Token: SeDebugPrivilege	1464	dMh81s67.exe
Token: SeDebugPrivilege	2764	en586342.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exekino8298.exekino0357.exekino6293.exege754397.exemetafor.execmd.exe

description	pid	process	target process
PID 4608 wrote to memory of 3712	4608	7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe	kino8298.exe
PID 4608 wrote to memory of 3712	4608	7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe	kino8298.exe
PID 4608 wrote to memory of 3712	4608	7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe	kino8298.exe
PID 3712 wrote to memory of 4288	3712	kino8298.exe	kino0357.exe
PID 3712 wrote to memory of 4288	3712	kino8298.exe	kino0357.exe
PID 3712 wrote to memory of 4288	3712	kino8298.exe	kino0357.exe
PID 4288 wrote to memory of 4892	4288	kino0357.exe	kino6293.exe
PID 4288 wrote to memory of 4892	4288	kino0357.exe	kino6293.exe
PID 4288 wrote to memory of 4892	4288	kino0357.exe	kino6293.exe
PID 4892 wrote to memory of 216	4892	kino6293.exe	bus9919.exe
PID 4892 wrote to memory of 216	4892	kino6293.exe	bus9919.exe
PID 4892 wrote to memory of 832	4892	kino6293.exe	cor2783.exe
PID 4892 wrote to memory of 832	4892	kino6293.exe	cor2783.exe
PID 4892 wrote to memory of 832	4892	kino6293.exe	cor2783.exe
PID 4288 wrote to memory of 1464	4288	kino0357.exe	dMh81s67.exe
PID 4288 wrote to memory of 1464	4288	kino0357.exe	dMh81s67.exe
PID 4288 wrote to memory of 1464	4288	kino0357.exe	dMh81s67.exe
PID 3712 wrote to memory of 2764	3712	kino8298.exe	en586342.exe
PID 3712 wrote to memory of 2764	3712	kino8298.exe	en586342.exe
PID 3712 wrote to memory of 2764	3712	kino8298.exe	en586342.exe
PID 4608 wrote to memory of 3348	4608	7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe	ge754397.exe
PID 4608 wrote to memory of 3348	4608	7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe	ge754397.exe
PID 4608 wrote to memory of 3348	4608	7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe	ge754397.exe
PID 3348 wrote to memory of 1100	3348	ge754397.exe	metafor.exe
PID 3348 wrote to memory of 1100	3348	ge754397.exe	metafor.exe
PID 3348 wrote to memory of 1100	3348	ge754397.exe	metafor.exe
PID 1100 wrote to memory of 3372	1100	metafor.exe	schtasks.exe
PID 1100 wrote to memory of 3372	1100	metafor.exe	schtasks.exe
PID 1100 wrote to memory of 3372	1100	metafor.exe	schtasks.exe
PID 1100 wrote to memory of 4892	1100	metafor.exe	cmd.exe
PID 1100 wrote to memory of 4892	1100	metafor.exe	cmd.exe
PID 1100 wrote to memory of 4892	1100	metafor.exe	cmd.exe
PID 4892 wrote to memory of 5004	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 5004	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 5004	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 644	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 644	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 644	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 2260	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 2260	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 2260	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 1156	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 1156	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 1156	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 3860	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3860	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3860	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3660	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3660	4892	cmd.exe	cacls.exe
PID 4892 wrote to memory of 3660	4892	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe
"C:\Users\Admin\AppData\Local\Temp\7097b2d72ab5cb5d15b3166dfe53d4fc873f2d8a557d4468ba13b66c0c807308.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8298.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8298.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino0357.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino0357.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6293.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6293.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9919.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9919.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2783.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2783.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1088
6⤵
- Program crash
PID:3372

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMh81s67.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMh81s67.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1332
5⤵
- Program crash
PID:2020

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en586342.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en586342.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge754397.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge754397.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5004

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:644

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1156

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:3860

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 832 -ip 832
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1464 -ip 1464
1⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge754397.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge754397.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8298.exe
Filesize
842KB

MD5
b49c2c57f3806e5f3ab1d45c4e57c2d1

SHA1
92d88a81371033ded6127c5eb64ba8c99f4388a1

SHA256
0b8e52c2e35f1ffb74073b72492d85cbf6d94c5a44a9b074a667d731fee2bbf3

SHA512
962e6f4e3db48355ec596bc49a4293d88aa6db1f92eeae1198052661107e0e8b6a4ed9ca2c3e47f039a7ba9b5a784834780ef9f0edc25cc31a704718d86eb1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8298.exe
Filesize
842KB

MD5
b49c2c57f3806e5f3ab1d45c4e57c2d1

SHA1
92d88a81371033ded6127c5eb64ba8c99f4388a1

SHA256
0b8e52c2e35f1ffb74073b72492d85cbf6d94c5a44a9b074a667d731fee2bbf3

SHA512
962e6f4e3db48355ec596bc49a4293d88aa6db1f92eeae1198052661107e0e8b6a4ed9ca2c3e47f039a7ba9b5a784834780ef9f0edc25cc31a704718d86eb1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en586342.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en586342.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino0357.exe
Filesize
700KB

MD5
6a6938a11090b59e89068b8f47bc7d1e

SHA1
afbf5c5d1252d19776cb9b3443dce5266c178796

SHA256
886b012900f319efe82a3c0f1b79944f214d58c0029b361ccefad7bb63daf89f

SHA512
1608eb1cb3112b2d8d6c8ec1b6a9a55bad3effcf3fae97930c0b5605d880f43f008644ec882536cd3733d0c3ccca2a8106a44913099014f357b8a2d81c85415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino0357.exe
Filesize
700KB

MD5
6a6938a11090b59e89068b8f47bc7d1e

SHA1
afbf5c5d1252d19776cb9b3443dce5266c178796

SHA256
886b012900f319efe82a3c0f1b79944f214d58c0029b361ccefad7bb63daf89f

SHA512
1608eb1cb3112b2d8d6c8ec1b6a9a55bad3effcf3fae97930c0b5605d880f43f008644ec882536cd3733d0c3ccca2a8106a44913099014f357b8a2d81c85415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMh81s67.exe
Filesize
358KB

MD5
81fd96677839c1aa81230a0ad0025cb5

SHA1
f2f4974e6e8c3790d283fd4f7cf779fe564b1ad5

SHA256
8e2bf48dde421c50f9bf46ab1124d11d327a92121b23a670ee6c06039c48254f

SHA512
6689c4cc3032fb58191c8ea743a4a8d840e196d49ce7a4e843fa14c9c46ba050427ba27730f158302839ae0e15de17af81baea0e8e239999be37225013f99d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMh81s67.exe
Filesize
358KB

MD5
81fd96677839c1aa81230a0ad0025cb5

SHA1
f2f4974e6e8c3790d283fd4f7cf779fe564b1ad5

SHA256
8e2bf48dde421c50f9bf46ab1124d11d327a92121b23a670ee6c06039c48254f

SHA512
6689c4cc3032fb58191c8ea743a4a8d840e196d49ce7a4e843fa14c9c46ba050427ba27730f158302839ae0e15de17af81baea0e8e239999be37225013f99d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6293.exe
Filesize
347KB

MD5
5a4174d2a208fb219756b1caf913c65c

SHA1
88352b44155a80f126e548db194a32f2d457386d

SHA256
c9539297e793b252f06f2339be3b03bff8cb86513237ac8874fe118fde9badb5

SHA512
f660052c14a9398eabd723365e3aaa3fd3a5b5d656aab982dde70b3b8090854de10d17da1a199f437691ab02de2388da74e5aaa3e3a3321267d4774e918bafcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6293.exe
Filesize
347KB

MD5
5a4174d2a208fb219756b1caf913c65c

SHA1
88352b44155a80f126e548db194a32f2d457386d

SHA256
c9539297e793b252f06f2339be3b03bff8cb86513237ac8874fe118fde9badb5

SHA512
f660052c14a9398eabd723365e3aaa3fd3a5b5d656aab982dde70b3b8090854de10d17da1a199f437691ab02de2388da74e5aaa3e3a3321267d4774e918bafcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9919.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9919.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2783.exe
Filesize
300KB

MD5
3134139d0c08c25e3d60755e6dc3c2af

SHA1
db5e731dc70303bc94eb3b78d583f6d094d9a8c8

SHA256
7a3296895a8a941479f9fd5a5c552927de4e22938fd914edc01052b917a2acab

SHA512
0141abefc0d3b3a7ab959c49e3623fbf0aaaecd9df51ef40c13eba26cc283270f3a8acf675ccfc8acef6c7d9677abb17d93a706f1baff112445e11b7ee05f4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2783.exe
Filesize
300KB

MD5
3134139d0c08c25e3d60755e6dc3c2af

SHA1
db5e731dc70303bc94eb3b78d583f6d094d9a8c8

SHA256
7a3296895a8a941479f9fd5a5c552927de4e22938fd914edc01052b917a2acab

SHA512
0141abefc0d3b3a7ab959c49e3623fbf0aaaecd9df51ef40c13eba26cc283270f3a8acf675ccfc8acef6c7d9677abb17d93a706f1baff112445e11b7ee05f4d1

Download Submit
memory/216-161-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/832-177-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/832-179-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-181-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-183-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-185-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-187-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-189-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-191-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-193-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-195-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-197-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-199-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-175-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-201-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/832-202-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/832-203-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/832-205-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/832-173-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-172-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/832-171-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/832-170-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/832-169-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/832-168-0x0000000004F80000-0x0000000005524000-memory.dmp

Filesize
5.6MB

Download
memory/832-167-0x00000000009A0000-0x00000000009CD000-memory.dmp

Filesize
180KB

Download
memory/1464-212-0x0000000002370000-0x00000000023BB000-memory.dmp

Filesize
300KB

Download
memory/1464-1124-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1464-223-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-225-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-227-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-229-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-231-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-233-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-235-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-237-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-239-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-241-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-243-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-245-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-247-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-1120-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/1464-1121-0x0000000005A40000-0x0000000005B4A000-memory.dmp

Filesize
1.0MB

Download
memory/1464-1122-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/1464-1123-0x0000000005B50000-0x0000000005B8C000-memory.dmp

Filesize
240KB

Download
memory/1464-217-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1464-1126-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1464-1127-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1464-1128-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/1464-1129-0x00000000064D0000-0x0000000006562000-memory.dmp

Filesize
584KB

Download
memory/1464-1130-0x00000000065B0000-0x0000000006626000-memory.dmp

Filesize
472KB

Download
memory/1464-1131-0x0000000006640000-0x0000000006690000-memory.dmp

Filesize
320KB

Download
memory/1464-1132-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1464-1133-0x0000000006930000-0x0000000006AF2000-memory.dmp

Filesize
1.8MB

Download
memory/1464-221-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-1134-0x0000000006B00000-0x000000000702C000-memory.dmp

Filesize
5.2MB

Download
memory/1464-210-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-211-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-219-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1464-218-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/1464-215-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/1464-214-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

Filesize
248KB

Download
memory/2764-1141-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2764-1140-0x00000000008F0000-0x0000000000922000-memory.dmp

Filesize
200KB

Download