amadey | d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac

Analysis

max time kernel
98s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe
Size

1011KB
MD5

0fff9e9ef7ce4af9990b180c4bdfd13d
SHA1

e6a33f206aee4ff8ca31aec4a5534f590462681c
SHA256

d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac
SHA512

103282e8c26368dd2fc5ca9e16c1b1b47f894ead61259b150031fa3427e3c014285538eb4158c0c793166df377e42b21b62602dc4425a74275d8f9f5a3f63f08
SSDEEP

24576:FywThDGXJbbJpqn372BhN+G9RIg+tmMoZ9Z:gukX5JpS3AhNNZpZ9

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus2627.execor2941.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus2627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus2627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus2627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus2627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus2627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor2941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor2941.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus2627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor2941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor2941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor2941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor2941.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1112-213-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-211-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-216-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-218-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-220-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-222-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-224-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-226-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-228-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-230-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-232-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-234-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-244-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-242-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-240-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-238-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-236-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/1112-246-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge406767.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ge406767.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino5485.exekino7578.exekino7907.exebus2627.execor2941.exedhN21s38.exeen390072.exege406767.exemetafor.exemetafor.exe

pid	process
2776	kino5485.exe
2460	kino7578.exe
2584	kino7907.exe
1220	bus2627.exe
4052	cor2941.exe
1112	dhN21s38.exe
912	en390072.exe
4388	ge406767.exe
2668	metafor.exe
1496	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor2941.exebus2627.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor2941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus2627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor2941.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino7578.exekino7907.exed4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exekino5485.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino7578.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino7907.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino5485.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7578.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2500 4052 WerFault.exe cor2941.exe
1480 1112 WerFault.exe dhN21s38.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3444 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus2627.execor2941.exedhN21s38.exeen390072.exe

pid process

1220 bus2627.exe
1220 bus2627.exe
4052 cor2941.exe
4052 cor2941.exe
1112 dhN21s38.exe
1112 dhN21s38.exe
912 en390072.exe
912 en390072.exe

pid	pid_target	process	target process
2500	4052	WerFault.exe	cor2941.exe
1480	1112	WerFault.exe	dhN21s38.exe

pid	process
3444	schtasks.exe

pid	process
1220	bus2627.exe
1220	bus2627.exe
4052	cor2941.exe
4052	cor2941.exe
1112	dhN21s38.exe
1112	dhN21s38.exe
912	en390072.exe
912	en390072.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus2627.execor2941.exedhN21s38.exeen390072.exe

description	pid	process
Token: SeDebugPrivilege	1220	bus2627.exe
Token: SeDebugPrivilege	4052	cor2941.exe
Token: SeDebugPrivilege	1112	dhN21s38.exe
Token: SeDebugPrivilege	912	en390072.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exekino5485.exekino7578.exekino7907.exege406767.exemetafor.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 2776	2024	d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe	kino5485.exe
PID 2024 wrote to memory of 2776	2024	d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe	kino5485.exe
PID 2024 wrote to memory of 2776	2024	d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe	kino5485.exe
PID 2776 wrote to memory of 2460	2776	kino5485.exe	kino7578.exe
PID 2776 wrote to memory of 2460	2776	kino5485.exe	kino7578.exe
PID 2776 wrote to memory of 2460	2776	kino5485.exe	kino7578.exe
PID 2460 wrote to memory of 2584	2460	kino7578.exe	kino7907.exe
PID 2460 wrote to memory of 2584	2460	kino7578.exe	kino7907.exe
PID 2460 wrote to memory of 2584	2460	kino7578.exe	kino7907.exe
PID 2584 wrote to memory of 1220	2584	kino7907.exe	bus2627.exe
PID 2584 wrote to memory of 1220	2584	kino7907.exe	bus2627.exe
PID 2584 wrote to memory of 4052	2584	kino7907.exe	cor2941.exe
PID 2584 wrote to memory of 4052	2584	kino7907.exe	cor2941.exe
PID 2584 wrote to memory of 4052	2584	kino7907.exe	cor2941.exe
PID 2460 wrote to memory of 1112	2460	kino7578.exe	dhN21s38.exe
PID 2460 wrote to memory of 1112	2460	kino7578.exe	dhN21s38.exe
PID 2460 wrote to memory of 1112	2460	kino7578.exe	dhN21s38.exe
PID 2776 wrote to memory of 912	2776	kino5485.exe	en390072.exe
PID 2776 wrote to memory of 912	2776	kino5485.exe	en390072.exe
PID 2776 wrote to memory of 912	2776	kino5485.exe	en390072.exe
PID 2024 wrote to memory of 4388	2024	d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe	ge406767.exe
PID 2024 wrote to memory of 4388	2024	d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe	ge406767.exe
PID 2024 wrote to memory of 4388	2024	d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe	ge406767.exe
PID 4388 wrote to memory of 2668	4388	ge406767.exe	metafor.exe
PID 4388 wrote to memory of 2668	4388	ge406767.exe	metafor.exe
PID 4388 wrote to memory of 2668	4388	ge406767.exe	metafor.exe
PID 2668 wrote to memory of 3444	2668	metafor.exe	schtasks.exe
PID 2668 wrote to memory of 3444	2668	metafor.exe	schtasks.exe
PID 2668 wrote to memory of 3444	2668	metafor.exe	schtasks.exe
PID 2668 wrote to memory of 2480	2668	metafor.exe	cmd.exe
PID 2668 wrote to memory of 2480	2668	metafor.exe	cmd.exe
PID 2668 wrote to memory of 2480	2668	metafor.exe	cmd.exe
PID 2480 wrote to memory of 2404	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 2404	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 2404	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 4676	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 4676	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 4676	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 3580	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 3580	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 3580	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 1736	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 1736	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 1736	2480	cmd.exe	cmd.exe
PID 2480 wrote to memory of 804	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 804	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 804	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 4328	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 4328	2480	cmd.exe	cacls.exe
PID 2480 wrote to memory of 4328	2480	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe
"C:\Users\Admin\AppData\Local\Temp\d4ffc1ec1353543b825c7f2d82a591d41f08d98be854a6b39c0c59206a1d78ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5485.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5485.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7578.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7578.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7907.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7907.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2627.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2627.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2941.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2941.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1088
        6⤵
        Program crash
        
        PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dhN21s38.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dhN21s38.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1920
        5⤵
        Program crash
        
        PID:1480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en390072.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en390072.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge406767.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge406767.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:4676
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1736
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:804
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4052 -ip 4052
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1112 -ip 1112
1⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge406767.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge406767.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5485.exe

Filesize
828KB

MD5
77e50853f042dde281d2e22c7823f831

SHA1
0431dc0c55de9675b12f54a7197040a8e52dc169

SHA256
f64f1cc0dc4cbd49aa70b7320c691e9c98df7e3f74db61309f272aa022e579cf

SHA512
69256f1dd8ade75a1133e8153bacf2e7cdedc8a302d3989dd439c095e7f6ef6b60f0581cf7b5592431192b6079241022784f1bb56cee2fd22e8cdaa48b2159bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5485.exe

Filesize
828KB

MD5
77e50853f042dde281d2e22c7823f831

SHA1
0431dc0c55de9675b12f54a7197040a8e52dc169

SHA256
f64f1cc0dc4cbd49aa70b7320c691e9c98df7e3f74db61309f272aa022e579cf

SHA512
69256f1dd8ade75a1133e8153bacf2e7cdedc8a302d3989dd439c095e7f6ef6b60f0581cf7b5592431192b6079241022784f1bb56cee2fd22e8cdaa48b2159bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en390072.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en390072.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7578.exe

Filesize
686KB

MD5
6b3bb1d80f565a3f7362268a660c8148

SHA1
2be0ff21e70c2e442e9335d22f9d27837e02a24f

SHA256
63d71c26108f084bb3ef00b7b281e24d219326ad326ed5b2c81fa72124e2ca0f

SHA512
b458632ee93c640aca85c0b3908d737dd4af35bb16ff612372bbe44715cf3fdb0056bddd25feee1165cdebf17ddcca7f14d7e42a542020db7e08c97e4f0e003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7578.exe

Filesize
686KB

MD5
6b3bb1d80f565a3f7362268a660c8148

SHA1
2be0ff21e70c2e442e9335d22f9d27837e02a24f

SHA256
63d71c26108f084bb3ef00b7b281e24d219326ad326ed5b2c81fa72124e2ca0f

SHA512
b458632ee93c640aca85c0b3908d737dd4af35bb16ff612372bbe44715cf3fdb0056bddd25feee1165cdebf17ddcca7f14d7e42a542020db7e08c97e4f0e003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dhN21s38.exe

Filesize
355KB

MD5
91282b2cfef204928978ad33508fe327

SHA1
a6e8aedf9a653016889819796ee880eaf70f7962

SHA256
1c871c31b4ab32281a9e807464ce3cf021a0a8fc15b42c26799d6bf18162a649

SHA512
e37221bd82b3f349ec4fa5b7ab1793b67046a37a64a1410634cc97e39f83f7fce4d2e26ca9fd6116bf4ea7261da55d6d2a338c6574cd91d1659ba617696f8adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dhN21s38.exe

Filesize
355KB

MD5
91282b2cfef204928978ad33508fe327

SHA1
a6e8aedf9a653016889819796ee880eaf70f7962

SHA256
1c871c31b4ab32281a9e807464ce3cf021a0a8fc15b42c26799d6bf18162a649

SHA512
e37221bd82b3f349ec4fa5b7ab1793b67046a37a64a1410634cc97e39f83f7fce4d2e26ca9fd6116bf4ea7261da55d6d2a338c6574cd91d1659ba617696f8adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7907.exe

Filesize
340KB

MD5
20cf50313d82b8e10acd0045e94204f8

SHA1
be83622363398068907a93d6d96d0dea0a4f6af2

SHA256
450c6811219eba5e72c0ab2d051e418ad85ee38d6d506ca1e471f41f916a043e

SHA512
bcf025490bcb1ece16757cff74fb3f6c6e3fb9f28a1dcee9b96b4a589f6af02e5540a45a6abfe2fa69efc0a75d4e216f1886c4b6180386bc95eaf002cb5c6202

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7907.exe

Filesize
340KB

MD5
20cf50313d82b8e10acd0045e94204f8

SHA1
be83622363398068907a93d6d96d0dea0a4f6af2

SHA256
450c6811219eba5e72c0ab2d051e418ad85ee38d6d506ca1e471f41f916a043e

SHA512
bcf025490bcb1ece16757cff74fb3f6c6e3fb9f28a1dcee9b96b4a589f6af02e5540a45a6abfe2fa69efc0a75d4e216f1886c4b6180386bc95eaf002cb5c6202

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2627.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2627.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2941.exe

Filesize
298KB

MD5
48e2884beadadf901a962a333749132d

SHA1
66f500773e6b5f5b9c2c84d796f7dbd1d1e49283

SHA256
6326e4a5632d8eed670c64e306da7f0eb3c229f705d3ebdc2219ca5212cd225e

SHA512
063eb9c065862410f462254d4955341e9af9148aced94c37710474006b646aa3b7d9b87fb2dba7ad62f5298f2348475b55dbc5bcf1efe9474d58ff3c578a7f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2941.exe

Filesize
298KB

MD5
48e2884beadadf901a962a333749132d

SHA1
66f500773e6b5f5b9c2c84d796f7dbd1d1e49283

SHA256
6326e4a5632d8eed670c64e306da7f0eb3c229f705d3ebdc2219ca5212cd225e

SHA512
063eb9c065862410f462254d4955341e9af9148aced94c37710474006b646aa3b7d9b87fb2dba7ad62f5298f2348475b55dbc5bcf1efe9474d58ff3c578a7f03

Download Submit
memory/912-1140-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/912-1139-0x0000000000AA0000-0x0000000000AD2000-memory.dmp

Filesize
200KB

Download
memory/1112-1120-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/1112-244-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-1133-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1112-1132-0x0000000009300000-0x0000000009350000-memory.dmp

Filesize
320KB

Download
memory/1112-1131-0x0000000009270000-0x00000000092E6000-memory.dmp

Filesize
472KB

Download
memory/1112-1130-0x0000000008C10000-0x000000000913C000-memory.dmp

Filesize
5.2MB

Download
memory/1112-1129-0x0000000008A40000-0x0000000008C02000-memory.dmp

Filesize
1.8MB

Download
memory/1112-1128-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/1112-1127-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/1112-1126-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1112-1125-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1112-1123-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/1112-1122-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1112-1121-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1112-1119-0x0000000007870000-0x0000000007E88000-memory.dmp

Filesize
6.1MB

Download
memory/1112-209-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/1112-210-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1112-212-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1112-214-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1112-213-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-211-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-216-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-218-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-220-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-222-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-224-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-226-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-228-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-230-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-232-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-234-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-246-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-242-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-240-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-238-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1112-236-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/1220-161-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/4052-196-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-168-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/4052-186-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4052-203-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4052-202-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4052-201-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4052-199-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4052-188-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-190-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-182-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-180-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-178-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-192-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-198-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-174-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-176-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-171-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-172-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-170-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4052-169-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4052-184-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4052-167-0x0000000007200000-0x00000000077A4000-memory.dmp

Filesize
5.6MB

Download
memory/4052-194-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download