amadey | a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9

Analysis

max time kernel
135s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe
Size

1019KB
MD5

eac79a0e51423bc9245fbef624d26446
SHA1

de9ad7bcde69b1fa0b96bd3a0cfc19d07a502b49
SHA256

a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9
SHA512

2c658401885f334c07cb40a214cbc8ca7b747f62542080f7937071db4df33ecbf5e626ab5710b744b4433ee693d4833b4cc80db51c325e1e8a98ed9ae0c7efc3
SSDEEP

24576:pytQkul17OXFSDwJdvH5f4rlOM7aaRes5cBkY3N7:cykul1ksY/5ylOCDcH3

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus0892.execor5296.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus0892.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus0892.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor5296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor5296.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus0892.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus0892.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus0892.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor5296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor5296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor5296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor5296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus0892.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4932-209-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-210-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-212-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-214-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-216-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-218-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-220-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-222-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-224-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-226-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-228-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-230-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-232-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-234-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-236-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-238-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-240-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline
behavioral1/memory/4932-242-0x0000000002970000-0x00000000029AE000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge628974.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge628974.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino7232.exekino4230.exekino3874.exebus0892.execor5296.exedbP42s65.exeen598758.exege628974.exemetafor.exemetafor.exemetafor.exe

pid	process
2020	kino7232.exe
1832	kino4230.exe
1392	kino3874.exe
5040	bus0892.exe
4608	cor5296.exe
4932	dbP42s65.exe
1208	en598758.exe
1748	ge628974.exe
852	metafor.exe
3444	metafor.exe
4872	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus0892.execor5296.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus0892.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor5296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor5296.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exekino7232.exekino4230.exekino3874.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino7232.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino4230.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3874.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino3874.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3484 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1600 4608 WerFault.exe cor5296.exe
1496 4932 WerFault.exe dbP42s65.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2472 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus0892.execor5296.exedbP42s65.exeen598758.exe

pid process

5040 bus0892.exe
5040 bus0892.exe
4608 cor5296.exe
4608 cor5296.exe
4932 dbP42s65.exe
4932 dbP42s65.exe
1208 en598758.exe
1208 en598758.exe

pid	process
3484	sc.exe

pid	pid_target	process	target process
1600	4608	WerFault.exe	cor5296.exe
1496	4932	WerFault.exe	dbP42s65.exe

pid	process
2472	schtasks.exe

pid	process
5040	bus0892.exe
5040	bus0892.exe
4608	cor5296.exe
4608	cor5296.exe
4932	dbP42s65.exe
4932	dbP42s65.exe
1208	en598758.exe
1208	en598758.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus0892.execor5296.exedbP42s65.exeen598758.exe

description	pid	process
Token: SeDebugPrivilege	5040	bus0892.exe
Token: SeDebugPrivilege	4608	cor5296.exe
Token: SeDebugPrivilege	4932	dbP42s65.exe
Token: SeDebugPrivilege	1208	en598758.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exekino7232.exekino4230.exekino3874.exege628974.exemetafor.execmd.exe

description	pid	process	target process
PID 4404 wrote to memory of 2020	4404	a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe	kino7232.exe
PID 4404 wrote to memory of 2020	4404	a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe	kino7232.exe
PID 4404 wrote to memory of 2020	4404	a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe	kino7232.exe
PID 2020 wrote to memory of 1832	2020	kino7232.exe	kino4230.exe
PID 2020 wrote to memory of 1832	2020	kino7232.exe	kino4230.exe
PID 2020 wrote to memory of 1832	2020	kino7232.exe	kino4230.exe
PID 1832 wrote to memory of 1392	1832	kino4230.exe	kino3874.exe
PID 1832 wrote to memory of 1392	1832	kino4230.exe	kino3874.exe
PID 1832 wrote to memory of 1392	1832	kino4230.exe	kino3874.exe
PID 1392 wrote to memory of 5040	1392	kino3874.exe	bus0892.exe
PID 1392 wrote to memory of 5040	1392	kino3874.exe	bus0892.exe
PID 1392 wrote to memory of 4608	1392	kino3874.exe	cor5296.exe
PID 1392 wrote to memory of 4608	1392	kino3874.exe	cor5296.exe
PID 1392 wrote to memory of 4608	1392	kino3874.exe	cor5296.exe
PID 1832 wrote to memory of 4932	1832	kino4230.exe	dbP42s65.exe
PID 1832 wrote to memory of 4932	1832	kino4230.exe	dbP42s65.exe
PID 1832 wrote to memory of 4932	1832	kino4230.exe	dbP42s65.exe
PID 2020 wrote to memory of 1208	2020	kino7232.exe	en598758.exe
PID 2020 wrote to memory of 1208	2020	kino7232.exe	en598758.exe
PID 2020 wrote to memory of 1208	2020	kino7232.exe	en598758.exe
PID 4404 wrote to memory of 1748	4404	a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe	ge628974.exe
PID 4404 wrote to memory of 1748	4404	a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe	ge628974.exe
PID 4404 wrote to memory of 1748	4404	a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe	ge628974.exe
PID 1748 wrote to memory of 852	1748	ge628974.exe	metafor.exe
PID 1748 wrote to memory of 852	1748	ge628974.exe	metafor.exe
PID 1748 wrote to memory of 852	1748	ge628974.exe	metafor.exe
PID 852 wrote to memory of 2472	852	metafor.exe	schtasks.exe
PID 852 wrote to memory of 2472	852	metafor.exe	schtasks.exe
PID 852 wrote to memory of 2472	852	metafor.exe	schtasks.exe
PID 852 wrote to memory of 2916	852	metafor.exe	cmd.exe
PID 852 wrote to memory of 2916	852	metafor.exe	cmd.exe
PID 852 wrote to memory of 2916	852	metafor.exe	cmd.exe
PID 2916 wrote to memory of 1564	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 1564	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 1564	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 3204	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 3204	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 3204	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 3288	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 3288	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 3288	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 552	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 552	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 552	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 3668	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 3668	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 3668	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 5112	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 5112	2916	cmd.exe	cacls.exe
PID 2916 wrote to memory of 5112	2916	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe
"C:\Users\Admin\AppData\Local\Temp\a8be2d45b0364dd521b7aaeb90fe3d2f022d3b485732a374dbda9d2e869a75b9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7232.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7232.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4230.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4230.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3874.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3874.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1392
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0892.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0892.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5296.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5296.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1080
        6⤵
        Program crash
        
        PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbP42s65.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbP42s65.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1588
        5⤵
        Program crash
        
        PID:1496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en598758.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en598758.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge628974.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge628974.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:3204
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:552
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:3668
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4608 -ip 4608
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4932 -ip 4932
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge628974.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge628974.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7232.exe

Filesize
837KB

MD5
e934c647c8516990fc66e449c96632ed

SHA1
93eb59b88cdaa93779604cc6e4ed75893bca925d

SHA256
5606e7d9d47f9452fd933a5d95d0c872a97c63ac48f22e078ba372483feb4041

SHA512
4a89cee6598fee753cb485d17f6e0807a4ff75756bc1093a914dafc1a5f289139fa44c7a2ccf69d315e53cbfbf7c11ff4186f17d51a252aa4fe324f59fb52490

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7232.exe

Filesize
837KB

MD5
e934c647c8516990fc66e449c96632ed

SHA1
93eb59b88cdaa93779604cc6e4ed75893bca925d

SHA256
5606e7d9d47f9452fd933a5d95d0c872a97c63ac48f22e078ba372483feb4041

SHA512
4a89cee6598fee753cb485d17f6e0807a4ff75756bc1093a914dafc1a5f289139fa44c7a2ccf69d315e53cbfbf7c11ff4186f17d51a252aa4fe324f59fb52490

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en598758.exe

Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en598758.exe

Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4230.exe

Filesize
694KB

MD5
a2565c9e7be5d1c4f0dc9368d0f5d774

SHA1
87fd65c98394623ec4806427cf2b000e4e675063

SHA256
ee9abb900d8345ff62a0c45d2d2b73c4626ee4e2baad7e8b64a6bf29af6db0ef

SHA512
36651ea799b09771c3b2f9efc3f6f581535529759931a01d869499360953ef6109f69921bdd698e02ce59a1fabd0e8161e6be0370e5d8898801f30143190f03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4230.exe

Filesize
694KB

MD5
a2565c9e7be5d1c4f0dc9368d0f5d774

SHA1
87fd65c98394623ec4806427cf2b000e4e675063

SHA256
ee9abb900d8345ff62a0c45d2d2b73c4626ee4e2baad7e8b64a6bf29af6db0ef

SHA512
36651ea799b09771c3b2f9efc3f6f581535529759931a01d869499360953ef6109f69921bdd698e02ce59a1fabd0e8161e6be0370e5d8898801f30143190f03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbP42s65.exe

Filesize
349KB

MD5
fef9b3523ae27c314112e540a119ea67

SHA1
cb5a842fd8060ee4bef918ab71b1e3bc87934596

SHA256
7ac94824aa425dcfd1ef49af96f1f0b22aab3b29f8b13a20c9d466a553a0805e

SHA512
e0b1ea471efbad258c88945fb27573c5b65aa9c594d6a780f15fd2f512805535275bcc6a20cf137d5bb54da18d99e6d39d81a33e7a77e5d10d65279574d34c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbP42s65.exe

Filesize
349KB

MD5
fef9b3523ae27c314112e540a119ea67

SHA1
cb5a842fd8060ee4bef918ab71b1e3bc87934596

SHA256
7ac94824aa425dcfd1ef49af96f1f0b22aab3b29f8b13a20c9d466a553a0805e

SHA512
e0b1ea471efbad258c88945fb27573c5b65aa9c594d6a780f15fd2f512805535275bcc6a20cf137d5bb54da18d99e6d39d81a33e7a77e5d10d65279574d34c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3874.exe

Filesize
344KB

MD5
a5d5cf3ecd1026e2c04d0c2d47fa26f9

SHA1
d168ddb690c52a6de77315d878c930d7eedaefe9

SHA256
3603003da2c87a419c9559f0a6be5bc7c3e4a35fce043879b05a191c31f77364

SHA512
b0f6d9dc5ddba7116db22e1fc21e2b13b4ac66c016dc91724b62b92f1ea0626d90df0febf7f40ab71a0b3e94150ebb484c260c9f5a4c8476f0e444389997028b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3874.exe

Filesize
344KB

MD5
a5d5cf3ecd1026e2c04d0c2d47fa26f9

SHA1
d168ddb690c52a6de77315d878c930d7eedaefe9

SHA256
3603003da2c87a419c9559f0a6be5bc7c3e4a35fce043879b05a191c31f77364

SHA512
b0f6d9dc5ddba7116db22e1fc21e2b13b4ac66c016dc91724b62b92f1ea0626d90df0febf7f40ab71a0b3e94150ebb484c260c9f5a4c8476f0e444389997028b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0892.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0892.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5296.exe

Filesize
291KB

MD5
681f7703c8a168566a840b23fbfbab06

SHA1
71fc122563827e6b7910dbd137274acf84f9cec4

SHA256
1656b195dc41d001bb9fdef62f0cf2729dd61106c85128b6c641daf0e8014fd1

SHA512
ded9b259d0dc00610517dad578e8cf0922216b5f33c61f2473f1981babf330f49163857068249e17636fdffe32d03d21a903de63806695626b6d264bf9ec0b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5296.exe

Filesize
291KB

MD5
681f7703c8a168566a840b23fbfbab06

SHA1
71fc122563827e6b7910dbd137274acf84f9cec4

SHA256
1656b195dc41d001bb9fdef62f0cf2729dd61106c85128b6c641daf0e8014fd1

SHA512
ded9b259d0dc00610517dad578e8cf0922216b5f33c61f2473f1981babf330f49163857068249e17636fdffe32d03d21a903de63806695626b6d264bf9ec0b31

Download Submit
memory/1208-1141-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/1208-1140-0x0000000000E10000-0x0000000000E42000-memory.dmp

Filesize
200KB

Download
memory/4608-177-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-200-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4608-183-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-185-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-187-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-189-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-191-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-193-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-195-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-197-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-199-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-181-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-202-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4608-201-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4608-204-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/4608-179-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-175-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-173-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-172-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4608-171-0x0000000004D90000-0x0000000005334000-memory.dmp

Filesize
5.6MB

Download
memory/4608-170-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4608-169-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4608-168-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4608-167-0x0000000000890000-0x00000000008BD000-memory.dmp

Filesize
180KB

Download
memory/4932-216-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-228-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-230-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-232-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-234-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-236-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-238-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-240-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-242-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-302-0x00000000023C0000-0x000000000240B000-memory.dmp

Filesize
300KB

Download
memory/4932-305-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4932-307-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4932-303-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4932-1119-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/4932-1120-0x0000000005A70000-0x0000000005B7A000-memory.dmp

Filesize
1.0MB

Download
memory/4932-1121-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/4932-1122-0x0000000004E30000-0x0000000004E6C000-memory.dmp

Filesize
240KB

Download
memory/4932-1123-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4932-1124-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/4932-1125-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/4932-1127-0x0000000006820000-0x00000000069E2000-memory.dmp

Filesize
1.8MB

Download
memory/4932-1128-0x00000000069F0000-0x0000000006F1C000-memory.dmp

Filesize
5.2MB

Download
memory/4932-1129-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4932-1130-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4932-1131-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4932-1132-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4932-226-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-224-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-222-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-220-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-218-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-214-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-212-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-210-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-209-0x0000000002970000-0x00000000029AE000-memory.dmp

Filesize
248KB

Download
memory/4932-1133-0x00000000071A0000-0x0000000007216000-memory.dmp

Filesize
472KB

Download
memory/4932-1134-0x0000000007220000-0x0000000007270000-memory.dmp

Filesize
320KB

Download
memory/5040-161-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download