amadey | 133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe
Size

1.0MB
MD5

506481fd1852d9ea7fd68ad8bbbae6c0
SHA1

c9cf11bf4efdef053a770341ce91f5f99da24d56
SHA256

133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8
SHA512

c4eb732221fece2eb97acabd5e1e3512055c3f8a3fb9c26da5e9baee0ab092b7545c81b918be9dba859db4f25d9f0ce36fc51aec2e5c489082e8c35e490c78d5
SSDEEP

24576:lyWyVY1Azk2FRzLiwKz1Cxjf+/CVbxCnsYtMFs/10187nO:At0OjFRmQ5dNCnjasdm8

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus8394.execor4946.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus8394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus8394.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor4946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor4946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor4946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor4946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor4946.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus8394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus8394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus8394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus8394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor4946.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/568-210-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-211-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-213-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-215-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-217-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-219-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-221-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-223-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-225-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-227-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-229-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-231-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-233-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-235-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-239-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-237-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-241-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-243-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/568-313-0x0000000002720000-0x0000000002730000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege648789.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ge648789.exe

Executes dropped EXE 11 IoCs

Processes:

kino1342.exekino3285.exekino6716.exebus8394.execor4946.exedOG64s62.exeen781056.exege648789.exemetafor.exemetafor.exemetafor.exe

pid	process
2368	kino1342.exe
4252	kino3285.exe
3960	kino6716.exe
4672	bus8394.exe
1940	cor4946.exe
568	dOG64s62.exe
3628	en781056.exe
2024	ge648789.exe
4280	metafor.exe
2736	metafor.exe
216	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus8394.execor4946.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus8394.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor4946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor4946.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino6716.exe133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exekino1342.exekino3285.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino6716.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino1342.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino1342.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino3285.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6716.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3292 1940 WerFault.exe cor4946.exe
4012 568 WerFault.exe dOG64s62.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4676 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus8394.execor4946.exedOG64s62.exeen781056.exe

pid process

4672 bus8394.exe
4672 bus8394.exe
1940 cor4946.exe
1940 cor4946.exe
568 dOG64s62.exe
568 dOG64s62.exe
3628 en781056.exe
3628 en781056.exe

pid	pid_target	process	target process
3292	1940	WerFault.exe	cor4946.exe
4012	568	WerFault.exe	dOG64s62.exe

pid	process
4676	schtasks.exe

pid	process
4672	bus8394.exe
4672	bus8394.exe
1940	cor4946.exe
1940	cor4946.exe
568	dOG64s62.exe
568	dOG64s62.exe
3628	en781056.exe
3628	en781056.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus8394.execor4946.exedOG64s62.exeen781056.exe

description	pid	process
Token: SeDebugPrivilege	4672	bus8394.exe
Token: SeDebugPrivilege	1940	cor4946.exe
Token: SeDebugPrivilege	568	dOG64s62.exe
Token: SeDebugPrivilege	3628	en781056.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exekino1342.exekino3285.exekino6716.exege648789.exemetafor.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 2368	1156	133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe	kino1342.exe
PID 1156 wrote to memory of 2368	1156	133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe	kino1342.exe
PID 1156 wrote to memory of 2368	1156	133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe	kino1342.exe
PID 2368 wrote to memory of 4252	2368	kino1342.exe	kino3285.exe
PID 2368 wrote to memory of 4252	2368	kino1342.exe	kino3285.exe
PID 2368 wrote to memory of 4252	2368	kino1342.exe	kino3285.exe
PID 4252 wrote to memory of 3960	4252	kino3285.exe	kino6716.exe
PID 4252 wrote to memory of 3960	4252	kino3285.exe	kino6716.exe
PID 4252 wrote to memory of 3960	4252	kino3285.exe	kino6716.exe
PID 3960 wrote to memory of 4672	3960	kino6716.exe	bus8394.exe
PID 3960 wrote to memory of 4672	3960	kino6716.exe	bus8394.exe
PID 3960 wrote to memory of 1940	3960	kino6716.exe	cor4946.exe
PID 3960 wrote to memory of 1940	3960	kino6716.exe	cor4946.exe
PID 3960 wrote to memory of 1940	3960	kino6716.exe	cor4946.exe
PID 4252 wrote to memory of 568	4252	kino3285.exe	dOG64s62.exe
PID 4252 wrote to memory of 568	4252	kino3285.exe	dOG64s62.exe
PID 4252 wrote to memory of 568	4252	kino3285.exe	dOG64s62.exe
PID 2368 wrote to memory of 3628	2368	kino1342.exe	en781056.exe
PID 2368 wrote to memory of 3628	2368	kino1342.exe	en781056.exe
PID 2368 wrote to memory of 3628	2368	kino1342.exe	en781056.exe
PID 1156 wrote to memory of 2024	1156	133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe	ge648789.exe
PID 1156 wrote to memory of 2024	1156	133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe	ge648789.exe
PID 1156 wrote to memory of 2024	1156	133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe	ge648789.exe
PID 2024 wrote to memory of 4280	2024	ge648789.exe	metafor.exe
PID 2024 wrote to memory of 4280	2024	ge648789.exe	metafor.exe
PID 2024 wrote to memory of 4280	2024	ge648789.exe	metafor.exe
PID 4280 wrote to memory of 4676	4280	metafor.exe	schtasks.exe
PID 4280 wrote to memory of 4676	4280	metafor.exe	schtasks.exe
PID 4280 wrote to memory of 4676	4280	metafor.exe	schtasks.exe
PID 4280 wrote to memory of 1404	4280	metafor.exe	cmd.exe
PID 4280 wrote to memory of 1404	4280	metafor.exe	cmd.exe
PID 4280 wrote to memory of 1404	4280	metafor.exe	cmd.exe
PID 1404 wrote to memory of 4084	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 4084	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 4084	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 2104	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 2104	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 2104	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 2352	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 2352	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 2352	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 4844	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 4844	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 4844	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 3676	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 3676	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 3676	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 772	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 772	1404	cmd.exe	cacls.exe
PID 1404 wrote to memory of 772	1404	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe
"C:\Users\Admin\AppData\Local\Temp\133cbbd0b4eb639cd74aed1ab4c7b5fcb68bd06aa7a3cdf8c23106c7e0e03be8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1342.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1342.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3285.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3285.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6716.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6716.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8394.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8394.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4946.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4946.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1084
6⤵
- Program crash
PID:3292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOG64s62.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOG64s62.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 1624
5⤵
- Program crash
PID:4012

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en781056.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en781056.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge648789.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge648789.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4084

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:2104

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4844

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:3676

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1940 -ip 1940
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 568 -ip 568
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge648789.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge648789.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1342.exe
Filesize
841KB

MD5
9e5698bc608731773919d320ec109e38

SHA1
69397155b2bdd42a38cfe18d3b139f8f968440d7

SHA256
b1a74d03545c698ad70d0a54ed3696e27284775406a0951089e4bd72209f8688

SHA512
d61257bdee674c820439885cc776885c8c4008a63073b8244654db51848a00383cfed0c7fbe6f63f11c6b19aec8585bac717acf11b2b45614bc1d95962f78484

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1342.exe
Filesize
841KB

MD5
9e5698bc608731773919d320ec109e38

SHA1
69397155b2bdd42a38cfe18d3b139f8f968440d7

SHA256
b1a74d03545c698ad70d0a54ed3696e27284775406a0951089e4bd72209f8688

SHA512
d61257bdee674c820439885cc776885c8c4008a63073b8244654db51848a00383cfed0c7fbe6f63f11c6b19aec8585bac717acf11b2b45614bc1d95962f78484

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en781056.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en781056.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3285.exe
Filesize
699KB

MD5
4ffd179bbbaeb72723acd05e86b0e11e

SHA1
5fda8689ff7e46c68206227bd5e154617a66617b

SHA256
b7d54bf82b5ff9a072b9aaf0d68eaaa608d9292eb6284acdea597a7e3fc3904e

SHA512
38f21c07e4f6d995f7f3f8f4da5b91d3497b22946c3f3bd3e102b27f9bd24505209aa916ff11eec8f789cdebe74db388bc240938b35384367f0fe2b22edc4b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3285.exe
Filesize
699KB

MD5
4ffd179bbbaeb72723acd05e86b0e11e

SHA1
5fda8689ff7e46c68206227bd5e154617a66617b

SHA256
b7d54bf82b5ff9a072b9aaf0d68eaaa608d9292eb6284acdea597a7e3fc3904e

SHA512
38f21c07e4f6d995f7f3f8f4da5b91d3497b22946c3f3bd3e102b27f9bd24505209aa916ff11eec8f789cdebe74db388bc240938b35384367f0fe2b22edc4b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOG64s62.exe
Filesize
358KB

MD5
4d13044e3aad1aedbfabf979be3937b6

SHA1
75ae6411a6da5b913d2d5bb757fb69f48a41e113

SHA256
c7798b386501bdc452352e9e8dc59528697c32757e43e282380da677c8804033

SHA512
87c39ac6de460c111ca791fd6d6aa1df9aec806c0db9448c0973c851a25109bf8b4a0bcaeaf0425942183d11b022f93352c0fa9fc9ab616b1af42288a21fc047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOG64s62.exe
Filesize
358KB

MD5
4d13044e3aad1aedbfabf979be3937b6

SHA1
75ae6411a6da5b913d2d5bb757fb69f48a41e113

SHA256
c7798b386501bdc452352e9e8dc59528697c32757e43e282380da677c8804033

SHA512
87c39ac6de460c111ca791fd6d6aa1df9aec806c0db9448c0973c851a25109bf8b4a0bcaeaf0425942183d11b022f93352c0fa9fc9ab616b1af42288a21fc047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6716.exe
Filesize
346KB

MD5
d1c778bcea62f85d153abe576438773b

SHA1
d7e2ecd0687baeae7fa0109fe70503f50be41404

SHA256
44338ddcef2c1646ff78a8b465699bc79a97bfb74a41073ec9af95d888b9c593

SHA512
223fdf66d18439f034aae1d1d4318307e91b7e0e127cdc119ca65580dc6822bf9d38850e100de7b105b9f17862a354ae9a2fac3ee47f8cf34cfa2bf2be091fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6716.exe
Filesize
346KB

MD5
d1c778bcea62f85d153abe576438773b

SHA1
d7e2ecd0687baeae7fa0109fe70503f50be41404

SHA256
44338ddcef2c1646ff78a8b465699bc79a97bfb74a41073ec9af95d888b9c593

SHA512
223fdf66d18439f034aae1d1d4318307e91b7e0e127cdc119ca65580dc6822bf9d38850e100de7b105b9f17862a354ae9a2fac3ee47f8cf34cfa2bf2be091fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8394.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8394.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4946.exe
Filesize
300KB

MD5
34a4a0101cc7fda01a65f4dc4ad854b7

SHA1
b91ca9ab475a320c4ba48bfa1e8b051ea5c51c98

SHA256
d991db6beb2555463e7541baff8005ea8755bacaac39d93ca073442ffb6b41ab

SHA512
1d7b2329e318b88477440047fb72878999bba7a7d61efc533fd1c42cb05b15ddd0aa8eee3182b9fffcd2db86119e0e4903448051b7c9c4633568662259128589

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4946.exe
Filesize
300KB

MD5
34a4a0101cc7fda01a65f4dc4ad854b7

SHA1
b91ca9ab475a320c4ba48bfa1e8b051ea5c51c98

SHA256
d991db6beb2555463e7541baff8005ea8755bacaac39d93ca073442ffb6b41ab

SHA512
1d7b2329e318b88477440047fb72878999bba7a7d61efc533fd1c42cb05b15ddd0aa8eee3182b9fffcd2db86119e0e4903448051b7c9c4633568662259128589

Download Submit
memory/568-1123-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/568-1128-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/568-1133-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/568-1132-0x0000000006FF0000-0x0000000007040000-memory.dmp

Filesize
320KB

Download
memory/568-1131-0x0000000006F70000-0x0000000006FE6000-memory.dmp

Filesize
472KB

Download
memory/568-1130-0x00000000068F0000-0x0000000006E1C000-memory.dmp

Filesize
5.2MB

Download
memory/568-1129-0x0000000006710000-0x00000000068D2000-memory.dmp

Filesize
1.8MB

Download
memory/568-1127-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/568-1126-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/568-1125-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/568-1122-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/568-1121-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/568-1120-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/568-1119-0x0000000005480000-0x0000000005A98000-memory.dmp

Filesize
6.1MB

Download
memory/568-313-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/568-311-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/568-309-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/568-210-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-211-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-213-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-215-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-217-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-219-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-221-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-223-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-225-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-227-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-229-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-231-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-233-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-235-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-239-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-237-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-241-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/568-243-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/1940-192-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-168-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/1940-205-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1940-204-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/1940-202-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/1940-201-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/1940-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1940-180-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-199-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/1940-198-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-194-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-184-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-196-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-182-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-174-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-186-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-188-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-176-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-178-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-167-0x0000000000750000-0x000000000077D000-memory.dmp

Filesize
180KB

Download
memory/1940-190-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-171-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1940-170-0x0000000004CA0000-0x0000000005244000-memory.dmp

Filesize
5.6MB

Download
memory/1940-169-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/3628-1140-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3628-1139-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/4672-161-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download