amadey | a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4

Analysis

max time kernel
123s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe
Size

1010KB
MD5

2f3886b0b7772abd56ae5789560e89fa
SHA1

25351f098af17088653ba01cf1cd8139e373c5a9
SHA256

a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4
SHA512

c2e8bf34e95479be085307467102bd6dbca0fa7a0b3501f4f535bbb51686e5ca9c4e7e931a2b8835a626a42afd5b4567adae2498f93a6d0b8903a7a449e2ff89
SSDEEP

12288:BMrUy90jguoPUNvcews39AXwHl/sLXhlamd6miMgBRRbtjlNIjgsXkE77LLBqc:ly1Bfs39AXcarXgBRbXIjn/73lv

Score

10^/10

amadey redline down volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus5970.execor9137.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus5970.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor9137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor9137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor9137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor9137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor9137.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus5970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus5970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus5970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor9137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus5970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus5970.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1500-214-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-215-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-217-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-219-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-221-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-223-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-225-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-227-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-229-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-231-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-233-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-235-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-237-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-239-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-241-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-243-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-245-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/1500-247-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge838254.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge838254.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino3345.exekino3149.exekino3986.exebus5970.execor9137.exedyc08s14.exeen782381.exege838254.exemetafor.exemetafor.exemetafor.exe

pid	process
2100	kino3345.exe
2460	kino3149.exe
632	kino3986.exe
2484	bus5970.exe
3840	cor9137.exe
1500	dyc08s14.exe
4920	en782381.exe
1936	ge838254.exe
4280	metafor.exe
2164	metafor.exe
752	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus5970.execor9137.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus5970.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor9137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor9137.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino3986.exea7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exekino3345.exekino3149.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino3986.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3345.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino3345.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino3149.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3986.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3960 3840 WerFault.exe cor9137.exe
2544 1500 WerFault.exe dyc08s14.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5060 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus5970.execor9137.exedyc08s14.exeen782381.exe

pid process

2484 bus5970.exe
2484 bus5970.exe
3840 cor9137.exe
3840 cor9137.exe
1500 dyc08s14.exe
1500 dyc08s14.exe
4920 en782381.exe
4920 en782381.exe

pid	pid_target	process	target process
3960	3840	WerFault.exe	cor9137.exe
2544	1500	WerFault.exe	dyc08s14.exe

pid	process
5060	schtasks.exe

pid	process
2484	bus5970.exe
2484	bus5970.exe
3840	cor9137.exe
3840	cor9137.exe
1500	dyc08s14.exe
1500	dyc08s14.exe
4920	en782381.exe
4920	en782381.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus5970.execor9137.exedyc08s14.exeen782381.exe

description	pid	process
Token: SeDebugPrivilege	2484	bus5970.exe
Token: SeDebugPrivilege	3840	cor9137.exe
Token: SeDebugPrivilege	1500	dyc08s14.exe
Token: SeDebugPrivilege	4920	en782381.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exekino3345.exekino3149.exekino3986.exege838254.exemetafor.execmd.exe

description	pid	process	target process
PID 2304 wrote to memory of 2100	2304	a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe	kino3345.exe
PID 2304 wrote to memory of 2100	2304	a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe	kino3345.exe
PID 2304 wrote to memory of 2100	2304	a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe	kino3345.exe
PID 2100 wrote to memory of 2460	2100	kino3345.exe	kino3149.exe
PID 2100 wrote to memory of 2460	2100	kino3345.exe	kino3149.exe
PID 2100 wrote to memory of 2460	2100	kino3345.exe	kino3149.exe
PID 2460 wrote to memory of 632	2460	kino3149.exe	kino3986.exe
PID 2460 wrote to memory of 632	2460	kino3149.exe	kino3986.exe
PID 2460 wrote to memory of 632	2460	kino3149.exe	kino3986.exe
PID 632 wrote to memory of 2484	632	kino3986.exe	bus5970.exe
PID 632 wrote to memory of 2484	632	kino3986.exe	bus5970.exe
PID 632 wrote to memory of 3840	632	kino3986.exe	cor9137.exe
PID 632 wrote to memory of 3840	632	kino3986.exe	cor9137.exe
PID 632 wrote to memory of 3840	632	kino3986.exe	cor9137.exe
PID 2460 wrote to memory of 1500	2460	kino3149.exe	dyc08s14.exe
PID 2460 wrote to memory of 1500	2460	kino3149.exe	dyc08s14.exe
PID 2460 wrote to memory of 1500	2460	kino3149.exe	dyc08s14.exe
PID 2100 wrote to memory of 4920	2100	kino3345.exe	en782381.exe
PID 2100 wrote to memory of 4920	2100	kino3345.exe	en782381.exe
PID 2100 wrote to memory of 4920	2100	kino3345.exe	en782381.exe
PID 2304 wrote to memory of 1936	2304	a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe	ge838254.exe
PID 2304 wrote to memory of 1936	2304	a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe	ge838254.exe
PID 2304 wrote to memory of 1936	2304	a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe	ge838254.exe
PID 1936 wrote to memory of 4280	1936	ge838254.exe	metafor.exe
PID 1936 wrote to memory of 4280	1936	ge838254.exe	metafor.exe
PID 1936 wrote to memory of 4280	1936	ge838254.exe	metafor.exe
PID 4280 wrote to memory of 5060	4280	metafor.exe	schtasks.exe
PID 4280 wrote to memory of 5060	4280	metafor.exe	schtasks.exe
PID 4280 wrote to memory of 5060	4280	metafor.exe	schtasks.exe
PID 4280 wrote to memory of 4560	4280	metafor.exe	cmd.exe
PID 4280 wrote to memory of 4560	4280	metafor.exe	cmd.exe
PID 4280 wrote to memory of 4560	4280	metafor.exe	cmd.exe
PID 4560 wrote to memory of 2484	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 2484	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 2484	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 1816	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 1816	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 1816	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4376	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4376	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4376	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 2032	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 2032	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 2032	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 4632	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4632	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4632	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4236	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4236	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4236	4560	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe
"C:\Users\Admin\AppData\Local\Temp\a7587de78a2793f42949f435f4a30c5978a27f5fb2165d11ac92a3397a0b41c4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3345.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3345.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3149.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3149.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3986.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3986.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5970.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5970.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9137.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9137.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1108
        6⤵
        Program crash
        
        PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyc08s14.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyc08s14.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1176
        5⤵
        Program crash
        
        PID:2544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en782381.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en782381.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge838254.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge838254.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:4376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:4632
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3840 -ip 3840
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1500 -ip 1500
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge838254.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge838254.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3345.exe

Filesize
827KB

MD5
da75a9c3faed3eb9d81f4efa06ec793b

SHA1
2b8e0236dc66a7bd3e8691cac0012a133799b865

SHA256
e1c42bf56d5609d9f1524c7740f1f69d79a1c6d61da872123e46448199af106a

SHA512
d6c8318ad17db78848634d3eca5e179a6e881a579cdf6cba897fc4d25da7453c0222e5501a16ec70e9425c0dee712e039ba3b520d8647411460a0384318a4b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino3345.exe

Filesize
827KB

MD5
da75a9c3faed3eb9d81f4efa06ec793b

SHA1
2b8e0236dc66a7bd3e8691cac0012a133799b865

SHA256
e1c42bf56d5609d9f1524c7740f1f69d79a1c6d61da872123e46448199af106a

SHA512
d6c8318ad17db78848634d3eca5e179a6e881a579cdf6cba897fc4d25da7453c0222e5501a16ec70e9425c0dee712e039ba3b520d8647411460a0384318a4b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en782381.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en782381.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3149.exe

Filesize
685KB

MD5
28f7f379bbfa88ce041bc7f67e3e07b3

SHA1
3fb4447ecfa6c28edead589e14181aaa381ff37e

SHA256
b908efad037730534b2370cade088ae5f760cf089f1502f2bc622e88809f6993

SHA512
94f8751efb019caacd7de2fe68cc77cabf448ebbc3580f7c3c65d173c8cdb79a9171a4b8fe8fb239f0cddb1585a03fa223c9a403802693dcf887faaf6babe55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3149.exe

Filesize
685KB

MD5
28f7f379bbfa88ce041bc7f67e3e07b3

SHA1
3fb4447ecfa6c28edead589e14181aaa381ff37e

SHA256
b908efad037730534b2370cade088ae5f760cf089f1502f2bc622e88809f6993

SHA512
94f8751efb019caacd7de2fe68cc77cabf448ebbc3580f7c3c65d173c8cdb79a9171a4b8fe8fb239f0cddb1585a03fa223c9a403802693dcf887faaf6babe55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyc08s14.exe

Filesize
356KB

MD5
30d9f647b1b7425f383e80e15e4df301

SHA1
09fe57023692bf6c74b335439ff886657746c651

SHA256
a34fc697e130d18fce82ce914cc7c490bce963fd35d2e2413a5d2964e08ddfd0

SHA512
9bb010a1bced01c73ea22bbe4456ec8d74c891c3ef45fa73fb8d462fb846b11db2e62a2df672d4dc365077398880103f53efc21c46822f1bf6baaa8923a57705

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyc08s14.exe

Filesize
356KB

MD5
30d9f647b1b7425f383e80e15e4df301

SHA1
09fe57023692bf6c74b335439ff886657746c651

SHA256
a34fc697e130d18fce82ce914cc7c490bce963fd35d2e2413a5d2964e08ddfd0

SHA512
9bb010a1bced01c73ea22bbe4456ec8d74c891c3ef45fa73fb8d462fb846b11db2e62a2df672d4dc365077398880103f53efc21c46822f1bf6baaa8923a57705

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3986.exe

Filesize
338KB

MD5
b4d0bd63538f503b46581596eaf75507

SHA1
8272d21c9410c7333b874674329de06eca139494

SHA256
d7a7c6fb8d44d5b6bf5156523600b77e3b406046bcd0247952642e4588aef4b1

SHA512
f3cdbe598525cf982347d69a2e533888acab8e3281f96fac6c804d0d75a6013f0b52d33121a4d04f694a8913edd2d506d0745028445d3b903ae8eeead9fda910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3986.exe

Filesize
338KB

MD5
b4d0bd63538f503b46581596eaf75507

SHA1
8272d21c9410c7333b874674329de06eca139494

SHA256
d7a7c6fb8d44d5b6bf5156523600b77e3b406046bcd0247952642e4588aef4b1

SHA512
f3cdbe598525cf982347d69a2e533888acab8e3281f96fac6c804d0d75a6013f0b52d33121a4d04f694a8913edd2d506d0745028445d3b903ae8eeead9fda910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5970.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5970.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9137.exe

Filesize
298KB

MD5
048e1a9a3cc5c8ffde9f597a877e205c

SHA1
52dd76dc0a20abf7dd34c157b587bc0ff4fff362

SHA256
cf7bfbf01d6fbc4662a55c98925b558deb521737f1c9c84b459349a4d125a25b

SHA512
c8a643e91ae4474198af1f77036974f219c4f85726aa89ff8802e99390dcfee621ed65fc40ece97875d4511b4a88a25b3eae0c04f7594ebd1293c8065d093f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9137.exe

Filesize
298KB

MD5
048e1a9a3cc5c8ffde9f597a877e205c

SHA1
52dd76dc0a20abf7dd34c157b587bc0ff4fff362

SHA256
cf7bfbf01d6fbc4662a55c98925b558deb521737f1c9c84b459349a4d125a25b

SHA512
c8a643e91ae4474198af1f77036974f219c4f85726aa89ff8802e99390dcfee621ed65fc40ece97875d4511b4a88a25b3eae0c04f7594ebd1293c8065d093f0a

Download Submit
memory/1500-1120-0x0000000007860000-0x0000000007E78000-memory.dmp

Filesize
6.1MB

Download
memory/1500-1128-0x0000000008A90000-0x0000000008B22000-memory.dmp

Filesize
584KB

Download
memory/1500-1132-0x0000000008F80000-0x00000000094AC000-memory.dmp

Filesize
5.2MB

Download
memory/1500-1131-0x0000000008D70000-0x0000000008F32000-memory.dmp

Filesize
1.8MB

Download
memory/1500-1129-0x0000000008C80000-0x0000000008CF6000-memory.dmp

Filesize
472KB

Download
memory/1500-1130-0x0000000008D10000-0x0000000008D60000-memory.dmp

Filesize
320KB

Download
memory/1500-1127-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1500-1126-0x0000000008280000-0x00000000082E6000-memory.dmp

Filesize
408KB

Download
memory/1500-1124-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/1500-1123-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1500-1122-0x0000000007280000-0x0000000007292000-memory.dmp

Filesize
72KB

Download
memory/1500-1121-0x0000000007E80000-0x0000000007F8A000-memory.dmp

Filesize
1.0MB

Download
memory/1500-247-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-245-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-243-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-241-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-239-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-210-0x0000000002DF0000-0x0000000002E3B000-memory.dmp

Filesize
300KB

Download
memory/1500-211-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1500-212-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1500-213-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/1500-214-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-215-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-217-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-219-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-221-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-223-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-225-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-227-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-229-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-231-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-233-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-235-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/1500-237-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/2484-161-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/3840-189-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-181-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-191-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-202-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3840-177-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-201-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3840-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/3840-199-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-197-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-195-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-193-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-183-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-203-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3840-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/3840-170-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3840-185-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-175-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-172-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-179-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-167-0x00000000072B0000-0x0000000007854000-memory.dmp

Filesize
5.6MB

Download
memory/3840-173-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-187-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/3840-171-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3840-169-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/3840-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4920-1139-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/4920-1138-0x0000000000E10000-0x0000000000E42000-memory.dmp

Filesize
200KB

Download