amadey | f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6

Analysis

max time kernel
133s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe
Size

1009KB
MD5

5a5362c70bfe05c6fe526bb369081918
SHA1

fa56e2e715fd33618b81eaeeb1ad8bf0221127b8
SHA256

f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6
SHA512

7f76cb13558548ea17df66a131e9876766b950623f1097c1e6d2baec5d8afd68ee1165eac2b7dea9c40c21ea99ce3a0d7ad224b1897f0ae06d51570a6f0f707f
SSDEEP

24576:gyHcVibZHQ1H+d8pnfWCig2sG1FBIjNMNUb:n8Vf1HOCeCiaG1F2jT

Score

10^/10

amadey redline down volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus0635.execor1071.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus0635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor1071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus0635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus0635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus0635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus0635.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor1071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor1071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor1071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor1071.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus0635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor1071.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2460-211-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-212-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-214-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-216-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-218-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-220-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-222-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-223-0x00000000072D0000-0x00000000072E0000-memory.dmp	family_redline
behavioral1/memory/2460-225-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-227-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-229-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-231-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-233-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-235-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-237-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-239-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-241-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-243-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2460-245-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege590654.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge590654.exe

Executes dropped EXE 11 IoCs

Processes:

kino6851.exekino6769.exekino4819.exebus0635.execor1071.exedIG88s50.exeen155147.exege590654.exemetafor.exemetafor.exemetafor.exe

pid	process
3228	kino6851.exe
1944	kino6769.exe
4796	kino4819.exe
816	bus0635.exe
772	cor1071.exe
2460	dIG88s50.exe
4868	en155147.exe
1000	ge590654.exe
3572	metafor.exe
624	metafor.exe
4104	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor1071.exebus0635.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor1071.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus0635.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor1071.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exekino6851.exekino6769.exekino4819.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6851.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino6851.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino6769.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino4819.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

388 772 WerFault.exe cor1071.exe
2096 2460 WerFault.exe dIG88s50.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

216 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus0635.execor1071.exedIG88s50.exeen155147.exe

pid process

816 bus0635.exe
816 bus0635.exe
772 cor1071.exe
772 cor1071.exe
2460 dIG88s50.exe
2460 dIG88s50.exe
4868 en155147.exe
4868 en155147.exe

pid	pid_target	process	target process
388	772	WerFault.exe	cor1071.exe
2096	2460	WerFault.exe	dIG88s50.exe

pid	process
216	schtasks.exe

pid	process
816	bus0635.exe
816	bus0635.exe
772	cor1071.exe
772	cor1071.exe
2460	dIG88s50.exe
2460	dIG88s50.exe
4868	en155147.exe
4868	en155147.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus0635.execor1071.exedIG88s50.exeen155147.exe

description	pid	process
Token: SeDebugPrivilege	816	bus0635.exe
Token: SeDebugPrivilege	772	cor1071.exe
Token: SeDebugPrivilege	2460	dIG88s50.exe
Token: SeDebugPrivilege	4868	en155147.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exekino6851.exekino6769.exekino4819.exege590654.exemetafor.execmd.exe

description	pid	process	target process
PID 3652 wrote to memory of 3228	3652	f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe	kino6851.exe
PID 3652 wrote to memory of 3228	3652	f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe	kino6851.exe
PID 3652 wrote to memory of 3228	3652	f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe	kino6851.exe
PID 3228 wrote to memory of 1944	3228	kino6851.exe	kino6769.exe
PID 3228 wrote to memory of 1944	3228	kino6851.exe	kino6769.exe
PID 3228 wrote to memory of 1944	3228	kino6851.exe	kino6769.exe
PID 1944 wrote to memory of 4796	1944	kino6769.exe	kino4819.exe
PID 1944 wrote to memory of 4796	1944	kino6769.exe	kino4819.exe
PID 1944 wrote to memory of 4796	1944	kino6769.exe	kino4819.exe
PID 4796 wrote to memory of 816	4796	kino4819.exe	bus0635.exe
PID 4796 wrote to memory of 816	4796	kino4819.exe	bus0635.exe
PID 4796 wrote to memory of 772	4796	kino4819.exe	cor1071.exe
PID 4796 wrote to memory of 772	4796	kino4819.exe	cor1071.exe
PID 4796 wrote to memory of 772	4796	kino4819.exe	cor1071.exe
PID 1944 wrote to memory of 2460	1944	kino6769.exe	dIG88s50.exe
PID 1944 wrote to memory of 2460	1944	kino6769.exe	dIG88s50.exe
PID 1944 wrote to memory of 2460	1944	kino6769.exe	dIG88s50.exe
PID 3228 wrote to memory of 4868	3228	kino6851.exe	en155147.exe
PID 3228 wrote to memory of 4868	3228	kino6851.exe	en155147.exe
PID 3228 wrote to memory of 4868	3228	kino6851.exe	en155147.exe
PID 3652 wrote to memory of 1000	3652	f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe	ge590654.exe
PID 3652 wrote to memory of 1000	3652	f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe	ge590654.exe
PID 3652 wrote to memory of 1000	3652	f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe	ge590654.exe
PID 1000 wrote to memory of 3572	1000	ge590654.exe	metafor.exe
PID 1000 wrote to memory of 3572	1000	ge590654.exe	metafor.exe
PID 1000 wrote to memory of 3572	1000	ge590654.exe	metafor.exe
PID 3572 wrote to memory of 216	3572	metafor.exe	schtasks.exe
PID 3572 wrote to memory of 216	3572	metafor.exe	schtasks.exe
PID 3572 wrote to memory of 216	3572	metafor.exe	schtasks.exe
PID 3572 wrote to memory of 4376	3572	metafor.exe	cmd.exe
PID 3572 wrote to memory of 4376	3572	metafor.exe	cmd.exe
PID 3572 wrote to memory of 4376	3572	metafor.exe	cmd.exe
PID 4376 wrote to memory of 1244	4376	cmd.exe	cmd.exe
PID 4376 wrote to memory of 1244	4376	cmd.exe	cmd.exe
PID 4376 wrote to memory of 1244	4376	cmd.exe	cmd.exe
PID 4376 wrote to memory of 2776	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 2776	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 2776	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 3748	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 3748	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 3748	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 4716	4376	cmd.exe	cmd.exe
PID 4376 wrote to memory of 4716	4376	cmd.exe	cmd.exe
PID 4376 wrote to memory of 4716	4376	cmd.exe	cmd.exe
PID 4376 wrote to memory of 4592	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 4592	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 4592	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 3616	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 3616	4376	cmd.exe	cacls.exe
PID 4376 wrote to memory of 3616	4376	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe
"C:\Users\Admin\AppData\Local\Temp\f9d5ea3181e897dc621b3a4c0f7b75d78ee19a12af6f1846c56361a1f6dee3d6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6851.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6851.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6769.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6769.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4819.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4819.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0635.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0635.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1071.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1071.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1080
        6⤵
        Program crash
        
        PID:388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIG88s50.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIG88s50.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1324
        5⤵
        Program crash
        
        PID:2096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en155147.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en155147.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge590654.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge590654.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:216
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1244
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:4592
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 772 -ip 772
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2460 -ip 2460
1⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge590654.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge590654.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6851.exe

Filesize
827KB

MD5
092063536ae0f6fd3ec2695996be753b

SHA1
2bcbe30d1bd850cfe258b2e74fa642fdbebe376c

SHA256
dd184ff99628767d2fa17386f72e66fd0402c78a6258bf3dd5a06c527f03862a

SHA512
db3d3ba08dabe127100ce5d1f826f47c5ebd1988f6efe53680007b6f1437fd1739a75a277d2d4aa3761b5a82cba06e5587243c7f2729f96010bf8fbb7d1742e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6851.exe

Filesize
827KB

MD5
092063536ae0f6fd3ec2695996be753b

SHA1
2bcbe30d1bd850cfe258b2e74fa642fdbebe376c

SHA256
dd184ff99628767d2fa17386f72e66fd0402c78a6258bf3dd5a06c527f03862a

SHA512
db3d3ba08dabe127100ce5d1f826f47c5ebd1988f6efe53680007b6f1437fd1739a75a277d2d4aa3761b5a82cba06e5587243c7f2729f96010bf8fbb7d1742e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en155147.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en155147.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6769.exe

Filesize
684KB

MD5
c95f981ef3d526ee5b41b865abcfcf80

SHA1
7b464ea6028ed08231517e2698879e1fd8754588

SHA256
d6b482915daff105fd477f021940b655520fac513217e6dc4621d5ae9226fe27

SHA512
24558fcb30bf1ae8a0e782d06f8ba6f98dfa7a26fff0519043ef323b6c0384af709b3c9aea0d044e79afccb01eb7c20d2042eea128e560d80cb04d1bbb4864d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6769.exe

Filesize
684KB

MD5
c95f981ef3d526ee5b41b865abcfcf80

SHA1
7b464ea6028ed08231517e2698879e1fd8754588

SHA256
d6b482915daff105fd477f021940b655520fac513217e6dc4621d5ae9226fe27

SHA512
24558fcb30bf1ae8a0e782d06f8ba6f98dfa7a26fff0519043ef323b6c0384af709b3c9aea0d044e79afccb01eb7c20d2042eea128e560d80cb04d1bbb4864d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIG88s50.exe

Filesize
356KB

MD5
aecfe6690c58728708035fc96bee5d77

SHA1
6392360116557e9af4df866697ed870578c8f10f

SHA256
4407d03b60839527f676ff9d9dc8961a3c88da614d5f4a587bb5a01c6965a09c

SHA512
f684b705e4fbc035c9f1a83c43292c863b49576bad91310498d0b6186d919543d210d217cc1779cb88eb747863b9b8b09d529f7e8d4c15162ae8cfc302bc7aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIG88s50.exe

Filesize
356KB

MD5
aecfe6690c58728708035fc96bee5d77

SHA1
6392360116557e9af4df866697ed870578c8f10f

SHA256
4407d03b60839527f676ff9d9dc8961a3c88da614d5f4a587bb5a01c6965a09c

SHA512
f684b705e4fbc035c9f1a83c43292c863b49576bad91310498d0b6186d919543d210d217cc1779cb88eb747863b9b8b09d529f7e8d4c15162ae8cfc302bc7aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4819.exe

Filesize
338KB

MD5
8b9de45143c4e0cfbe9b92fcb9496512

SHA1
929c7164bb57085165180ee0d815561e4c74cb01

SHA256
bb869e31924ede4f1c372bacbcaa4d231b9ddaa6dcaeaa541d3a3babb966d588

SHA512
345a854ea9dd74343cf597557b275b3d56b412ce72657bdf51bc74ad578cacdf1417d10cfefdb6a0672fc3e30550be28e7369830018929269f35232ca5b2bd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4819.exe

Filesize
338KB

MD5
8b9de45143c4e0cfbe9b92fcb9496512

SHA1
929c7164bb57085165180ee0d815561e4c74cb01

SHA256
bb869e31924ede4f1c372bacbcaa4d231b9ddaa6dcaeaa541d3a3babb966d588

SHA512
345a854ea9dd74343cf597557b275b3d56b412ce72657bdf51bc74ad578cacdf1417d10cfefdb6a0672fc3e30550be28e7369830018929269f35232ca5b2bd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0635.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus0635.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1071.exe

Filesize
298KB

MD5
9a125bb0d3907f85a86e2a3a3a013f98

SHA1
d74594df3867d581968dcd7489b90d8252cf57bb

SHA256
657535826ff3274f0849154672fb345a0e1d5589fa893623322462b2c1b666cd

SHA512
d5259ba54e5ddd234edffdc68e9b4d3ebd38cb5f96664c2e6badb1f3934f5a53f26e6548d5af71cc0b45f653247ce5e2705d468f5f80058a00f6a9fda5adbc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1071.exe

Filesize
298KB

MD5
9a125bb0d3907f85a86e2a3a3a013f98

SHA1
d74594df3867d581968dcd7489b90d8252cf57bb

SHA256
657535826ff3274f0849154672fb345a0e1d5589fa893623322462b2c1b666cd

SHA512
d5259ba54e5ddd234edffdc68e9b4d3ebd38cb5f96664c2e6badb1f3934f5a53f26e6548d5af71cc0b45f653247ce5e2705d468f5f80058a00f6a9fda5adbc5b

Download Submit
memory/772-180-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-202-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/772-182-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-184-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-186-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-188-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-190-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-192-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-194-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-196-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-198-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-199-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/772-201-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/772-178-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-203-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/772-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/772-167-0x0000000007210000-0x00000000077B4000-memory.dmp

Filesize
5.6MB

Download
memory/772-176-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-174-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-172-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-171-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/772-170-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/772-169-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/772-168-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/816-161-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/2460-211-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-1122-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2460-225-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-227-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-229-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-231-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-233-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-235-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-237-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-239-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-241-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-243-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-245-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-1118-0x0000000007990000-0x0000000007FA8000-memory.dmp

Filesize
6.1MB

Download
memory/2460-1119-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/2460-1120-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/2460-1121-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/2460-223-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2460-1124-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/2460-1125-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/2460-1126-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2460-1127-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2460-1129-0x0000000008DD0000-0x0000000008E46000-memory.dmp

Filesize
472KB

Download
memory/2460-1130-0x0000000008E50000-0x0000000008EA0000-memory.dmp

Filesize
320KB

Download
memory/2460-1131-0x0000000008EB0000-0x0000000009072000-memory.dmp

Filesize
1.8MB

Download
memory/2460-222-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-1132-0x0000000009080000-0x00000000095AC000-memory.dmp

Filesize
5.2MB

Download
memory/2460-209-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/2460-210-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2460-220-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-218-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-216-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-214-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2460-212-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/4868-1140-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/4868-1139-0x0000000000380000-0x00000000003B2000-memory.dmp

Filesize
200KB

Download