amadey | ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe
Size

1024KB
MD5

bda9dd37eb3f26cc886a407e9426648b
SHA1

23d96a5ac91f6600e9c6b1eac5e989f37980a1ff
SHA256

ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013
SHA512

0dd2550ada8b48db51eb9ea5ddf9d02b0dd885deeb10986dab70ae3fa746e9e191d99967f80cdb364bfb420c0c2ed3413acd8b6056aab553df93d04cccc0805d
SSDEEP

24576:2y6MGo5MfegWsRyIoGdQ9DfRKO/w9Y9XTowF7cjqph:F64MfegWs2Tw9Y9X8wej6

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor3748.exebus7443.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor3748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor3748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor3748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor3748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus7443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor3748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor3748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus7443.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4744-215-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-214-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-217-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-219-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-221-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-223-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-225-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-227-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-229-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-231-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-233-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-235-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-237-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-239-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-241-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-243-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-245-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline
behavioral1/memory/4744-247-0x00000000052D0000-0x000000000530E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge724781.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ge724781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino3638.exekino6997.exekino7482.exebus7443.execor3748.exedUG71s61.exeen032706.exege724781.exemetafor.exemetafor.exemetafor.exe

pid	process
3288	kino3638.exe
4228	kino6997.exe
2884	kino7482.exe
1356	bus7443.exe
3824	cor3748.exe
4744	dUG71s61.exe
1144	en032706.exe
3544	ge724781.exe
5032	metafor.exe
4540	metafor.exe
2328	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus7443.execor3748.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus7443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor3748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor3748.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino3638.exekino6997.exekino7482.exeed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino3638.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6997.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino6997.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7482.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino7482.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3696 3824 WerFault.exe cor3748.exe
1240 4744 WerFault.exe dUG71s61.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus7443.execor3748.exedUG71s61.exeen032706.exe

pid process

1356 bus7443.exe
1356 bus7443.exe
3824 cor3748.exe
3824 cor3748.exe
4744 dUG71s61.exe
4744 dUG71s61.exe
1144 en032706.exe
1144 en032706.exe

pid	pid_target	process	target process
3696	3824	WerFault.exe	cor3748.exe
1240	4744	WerFault.exe	dUG71s61.exe

pid	process
3392	schtasks.exe

pid	process
1356	bus7443.exe
1356	bus7443.exe
3824	cor3748.exe
3824	cor3748.exe
4744	dUG71s61.exe
4744	dUG71s61.exe
1144	en032706.exe
1144	en032706.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus7443.execor3748.exedUG71s61.exeen032706.exe

description	pid	process
Token: SeDebugPrivilege	1356	bus7443.exe
Token: SeDebugPrivilege	3824	cor3748.exe
Token: SeDebugPrivilege	4744	dUG71s61.exe
Token: SeDebugPrivilege	1144	en032706.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exekino3638.exekino6997.exekino7482.exege724781.exemetafor.execmd.exe

description	pid	process	target process
PID 2132 wrote to memory of 3288	2132	ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe	kino3638.exe
PID 2132 wrote to memory of 3288	2132	ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe	kino3638.exe
PID 2132 wrote to memory of 3288	2132	ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe	kino3638.exe
PID 3288 wrote to memory of 4228	3288	kino3638.exe	kino6997.exe
PID 3288 wrote to memory of 4228	3288	kino3638.exe	kino6997.exe
PID 3288 wrote to memory of 4228	3288	kino3638.exe	kino6997.exe
PID 4228 wrote to memory of 2884	4228	kino6997.exe	kino7482.exe
PID 4228 wrote to memory of 2884	4228	kino6997.exe	kino7482.exe
PID 4228 wrote to memory of 2884	4228	kino6997.exe	kino7482.exe
PID 2884 wrote to memory of 1356	2884	kino7482.exe	bus7443.exe
PID 2884 wrote to memory of 1356	2884	kino7482.exe	bus7443.exe
PID 2884 wrote to memory of 3824	2884	kino7482.exe	cor3748.exe
PID 2884 wrote to memory of 3824	2884	kino7482.exe	cor3748.exe
PID 2884 wrote to memory of 3824	2884	kino7482.exe	cor3748.exe
PID 4228 wrote to memory of 4744	4228	kino6997.exe	dUG71s61.exe
PID 4228 wrote to memory of 4744	4228	kino6997.exe	dUG71s61.exe
PID 4228 wrote to memory of 4744	4228	kino6997.exe	dUG71s61.exe
PID 3288 wrote to memory of 1144	3288	kino3638.exe	en032706.exe
PID 3288 wrote to memory of 1144	3288	kino3638.exe	en032706.exe
PID 3288 wrote to memory of 1144	3288	kino3638.exe	en032706.exe
PID 2132 wrote to memory of 3544	2132	ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe	ge724781.exe
PID 2132 wrote to memory of 3544	2132	ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe	ge724781.exe
PID 2132 wrote to memory of 3544	2132	ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe	ge724781.exe
PID 3544 wrote to memory of 5032	3544	ge724781.exe	metafor.exe
PID 3544 wrote to memory of 5032	3544	ge724781.exe	metafor.exe
PID 3544 wrote to memory of 5032	3544	ge724781.exe	metafor.exe
PID 5032 wrote to memory of 3392	5032	metafor.exe	schtasks.exe
PID 5032 wrote to memory of 3392	5032	metafor.exe	schtasks.exe
PID 5032 wrote to memory of 3392	5032	metafor.exe	schtasks.exe
PID 5032 wrote to memory of 4612	5032	metafor.exe	cmd.exe
PID 5032 wrote to memory of 4612	5032	metafor.exe	cmd.exe
PID 5032 wrote to memory of 4612	5032	metafor.exe	cmd.exe
PID 4612 wrote to memory of 388	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 388	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 388	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 2804	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 2804	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 2804	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 4840	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 4840	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 4840	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 4880	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 4880	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 4880	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 3748	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 3748	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 3748	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 932	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 932	4612	cmd.exe	cacls.exe
PID 4612 wrote to memory of 932	4612	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe
"C:\Users\Admin\AppData\Local\Temp\ed5b684ae25c136dfdade2c2bbff430ed15d7b853f18fb6f4e58c824191fb013.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3638.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3638.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6997.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6997.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7482.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7482.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3748.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3748.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1064
        6⤵
        Program crash
        
        PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUG71s61.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUG71s61.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1952
        5⤵
        Program crash
        
        PID:1240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en032706.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en032706.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge724781.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge724781.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:388
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:4840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4880
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3824 -ip 3824
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4744 -ip 4744
1⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge724781.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge724781.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3638.exe

Filesize
842KB

MD5
199221ec8f1ef316537741ab7e67043e

SHA1
74d8148b067ee62c52922e0ce855b043d8f8eb51

SHA256
c79118bd0c9f008173dbd5e76888670120dea3efa11e2ba5bd2a8e85088e5325

SHA512
426f581167c3d87291b19c472644196e026c2bc97f690631d5247d35fecce9cd9702add986f68d3d7472a2ea1860638b1af0147a489245ed1178b3df477fc8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3638.exe

Filesize
842KB

MD5
199221ec8f1ef316537741ab7e67043e

SHA1
74d8148b067ee62c52922e0ce855b043d8f8eb51

SHA256
c79118bd0c9f008173dbd5e76888670120dea3efa11e2ba5bd2a8e85088e5325

SHA512
426f581167c3d87291b19c472644196e026c2bc97f690631d5247d35fecce9cd9702add986f68d3d7472a2ea1860638b1af0147a489245ed1178b3df477fc8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en032706.exe

Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en032706.exe

Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6997.exe

Filesize
699KB

MD5
f0547732629783b736695c7aa04b17ad

SHA1
1ca7e5e2fc9627c8fde2b6aa785226a35286b664

SHA256
e717719a8c53139329484cafe3a87b714d47d65c080c72135fc28c4a08afa577

SHA512
6838c7fdc14f52a9e0dfbaeeb8473885511ce2ed1bedd107ab620c6ac7260e5cf3243d5d25dea85d54db4f3a2192a93e60bf306fc500ee1d60f0e23a2805d16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6997.exe

Filesize
699KB

MD5
f0547732629783b736695c7aa04b17ad

SHA1
1ca7e5e2fc9627c8fde2b6aa785226a35286b664

SHA256
e717719a8c53139329484cafe3a87b714d47d65c080c72135fc28c4a08afa577

SHA512
6838c7fdc14f52a9e0dfbaeeb8473885511ce2ed1bedd107ab620c6ac7260e5cf3243d5d25dea85d54db4f3a2192a93e60bf306fc500ee1d60f0e23a2805d16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUG71s61.exe

Filesize
358KB

MD5
dc7a71c5f52927b8909abc7338f55119

SHA1
1f120819a9d603c71662a68cf0b3b4a98b11d11b

SHA256
921d392111d0654fe5cb6b349dd0e7ea279c159adfe4f99d0a6d93be8f443f35

SHA512
c11092a88f50739bb38984f2e5923f6881ee92ab5c164c50666fecebcd766359bfe2d52eae205264596215c09e6174a2821bdc15b79e5af957be25b5192c96da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUG71s61.exe

Filesize
358KB

MD5
dc7a71c5f52927b8909abc7338f55119

SHA1
1f120819a9d603c71662a68cf0b3b4a98b11d11b

SHA256
921d392111d0654fe5cb6b349dd0e7ea279c159adfe4f99d0a6d93be8f443f35

SHA512
c11092a88f50739bb38984f2e5923f6881ee92ab5c164c50666fecebcd766359bfe2d52eae205264596215c09e6174a2821bdc15b79e5af957be25b5192c96da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7482.exe

Filesize
346KB

MD5
2f77990ad09584e17c9b72bf66f3947c

SHA1
40566d7d45f0de5b329044922b0b53460f04a1db

SHA256
03f6439d25ee7910ca69e912c3eb5d1f27630ad25789a61157f96beecc86dcf3

SHA512
8cb05a39fadfa5d190498ee78b08f758cddb536cd2a7bc2991f72e3e29a0b44b9dfe40b1448619357c898fe81d4e9457e475765fb7b0460d8890dbbad199db21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7482.exe

Filesize
346KB

MD5
2f77990ad09584e17c9b72bf66f3947c

SHA1
40566d7d45f0de5b329044922b0b53460f04a1db

SHA256
03f6439d25ee7910ca69e912c3eb5d1f27630ad25789a61157f96beecc86dcf3

SHA512
8cb05a39fadfa5d190498ee78b08f758cddb536cd2a7bc2991f72e3e29a0b44b9dfe40b1448619357c898fe81d4e9457e475765fb7b0460d8890dbbad199db21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3748.exe

Filesize
300KB

MD5
036980aa88b98c6a3e5bed801a2cdf32

SHA1
a65190f047b58e7a0800153b12636ba5405ebbb3

SHA256
e41fe41c9513c0935f0a485ddac38cd4d688a4354071d52d37ac5892825f7ba1

SHA512
feae02a019158ee60ec5e88b8c5d542274c4cecd4513b95238e2f896b800ec2ce7dac1c065e90bfe78673d6f6ba67558b8b53b827def22e317dfbbed5cf6b667

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3748.exe

Filesize
300KB

MD5
036980aa88b98c6a3e5bed801a2cdf32

SHA1
a65190f047b58e7a0800153b12636ba5405ebbb3

SHA256
e41fe41c9513c0935f0a485ddac38cd4d688a4354071d52d37ac5892825f7ba1

SHA512
feae02a019158ee60ec5e88b8c5d542274c4cecd4513b95238e2f896b800ec2ce7dac1c065e90bfe78673d6f6ba67558b8b53b827def22e317dfbbed5cf6b667

Download Submit
memory/1144-1142-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/1144-1141-0x0000000000F80000-0x0000000000FB2000-memory.dmp

Filesize
200KB

Download
memory/1356-161-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/3824-181-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-203-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3824-185-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-187-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-189-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-191-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-193-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-195-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-197-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-199-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3824-201-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3824-202-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3824-183-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-205-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3824-179-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-177-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-175-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-173-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3824-171-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3824-170-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3824-169-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3824-168-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download
memory/3824-167-0x0000000000860000-0x000000000088D000-memory.dmp

Filesize
180KB

Download
memory/4744-213-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4744-227-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-229-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-231-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-233-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-235-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-237-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-239-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-241-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-243-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-245-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-247-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-1120-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/4744-1121-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/4744-1122-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4744-1123-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4744-1124-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4744-1125-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/4744-1128-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4744-1127-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4744-1129-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4744-1130-0x0000000006600000-0x0000000006692000-memory.dmp

Filesize
584KB

Download
memory/4744-1131-0x0000000006930000-0x00000000069A6000-memory.dmp

Filesize
472KB

Download
memory/4744-1132-0x00000000069C0000-0x0000000006A10000-memory.dmp

Filesize
320KB

Download
memory/4744-1133-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4744-1134-0x0000000006BB0000-0x0000000006D72000-memory.dmp

Filesize
1.8MB

Download
memory/4744-225-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-223-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-221-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-219-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-217-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-214-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-215-0x00000000052D0000-0x000000000530E000-memory.dmp

Filesize
248KB

Download
memory/4744-211-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4744-212-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/4744-210-0x00000000007C0000-0x000000000080B000-memory.dmp

Filesize
300KB

Download
memory/4744-1135-0x0000000006D80000-0x00000000072AC000-memory.dmp

Filesize
5.2MB

Download