amadey | 9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383

Analysis

max time kernel
142s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe
Size

1011KB
MD5

c798c80855699b301193191608d8ea5d
SHA1

c1c7286c8af2cdee8e167319923e6ee2ef9591a8
SHA256

9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383
SHA512

70905732dc27a4d6f29b58dd4c45a148ebaad7bd47e79e37481c667746790adcdab90c443105262eef33c466be314a5f91e91ed0c01a38678af28fab2a0e2c7d
SSDEEP

24576:Ky8aJ3NsBlvFRFfjfOp4M3jP6YSuiGcBGjlfrtInl:R843EXKCuiGcBe

Score

10^/10

amadey redline down volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor5960.exebus7624.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor5960.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor5960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus7624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus7624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus7624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus7624.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor5960.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus7624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus7624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor5960.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor5960.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor5960.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3456-209-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-210-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-212-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-214-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-216-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-218-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-222-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-225-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-227-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-229-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-231-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-233-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-235-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-237-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-239-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-241-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-243-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/3456-245-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege005699.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge005699.exe

Executes dropped EXE 11 IoCs

Processes:

kino0842.exekino8803.exekino0931.exebus7624.execor5960.exedFE61s12.exeen140071.exege005699.exemetafor.exemetafor.exemetafor.exe

pid	process
3368	kino0842.exe
4932	kino8803.exe
2488	kino0931.exe
4792	bus7624.exe
2104	cor5960.exe
3456	dFE61s12.exe
1516	en140071.exe
4788	ge005699.exe
4736	metafor.exe
3840	metafor.exe
2700	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor5960.exebus7624.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor5960.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus7624.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor5960.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino0931.exe9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exekino0842.exekino8803.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino0931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino0931.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino0842.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino0842.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8803.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino8803.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4088 2104 WerFault.exe cor5960.exe
1240 3456 WerFault.exe dFE61s12.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus7624.execor5960.exedFE61s12.exeen140071.exe

pid process

4792 bus7624.exe
4792 bus7624.exe
2104 cor5960.exe
2104 cor5960.exe
3456 dFE61s12.exe
3456 dFE61s12.exe
1516 en140071.exe
1516 en140071.exe

pid	pid_target	process	target process
4088	2104	WerFault.exe	cor5960.exe
1240	3456	WerFault.exe	dFE61s12.exe

pid	process
3964	schtasks.exe

pid	process
4792	bus7624.exe
4792	bus7624.exe
2104	cor5960.exe
2104	cor5960.exe
3456	dFE61s12.exe
3456	dFE61s12.exe
1516	en140071.exe
1516	en140071.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus7624.execor5960.exedFE61s12.exeen140071.exe

description	pid	process
Token: SeDebugPrivilege	4792	bus7624.exe
Token: SeDebugPrivilege	2104	cor5960.exe
Token: SeDebugPrivilege	3456	dFE61s12.exe
Token: SeDebugPrivilege	1516	en140071.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exekino0842.exekino8803.exekino0931.exege005699.exemetafor.execmd.exe

description	pid	process	target process
PID 1116 wrote to memory of 3368	1116	9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe	kino0842.exe
PID 1116 wrote to memory of 3368	1116	9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe	kino0842.exe
PID 1116 wrote to memory of 3368	1116	9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe	kino0842.exe
PID 3368 wrote to memory of 4932	3368	kino0842.exe	kino8803.exe
PID 3368 wrote to memory of 4932	3368	kino0842.exe	kino8803.exe
PID 3368 wrote to memory of 4932	3368	kino0842.exe	kino8803.exe
PID 4932 wrote to memory of 2488	4932	kino8803.exe	kino0931.exe
PID 4932 wrote to memory of 2488	4932	kino8803.exe	kino0931.exe
PID 4932 wrote to memory of 2488	4932	kino8803.exe	kino0931.exe
PID 2488 wrote to memory of 4792	2488	kino0931.exe	bus7624.exe
PID 2488 wrote to memory of 4792	2488	kino0931.exe	bus7624.exe
PID 2488 wrote to memory of 2104	2488	kino0931.exe	cor5960.exe
PID 2488 wrote to memory of 2104	2488	kino0931.exe	cor5960.exe
PID 2488 wrote to memory of 2104	2488	kino0931.exe	cor5960.exe
PID 4932 wrote to memory of 3456	4932	kino8803.exe	dFE61s12.exe
PID 4932 wrote to memory of 3456	4932	kino8803.exe	dFE61s12.exe
PID 4932 wrote to memory of 3456	4932	kino8803.exe	dFE61s12.exe
PID 3368 wrote to memory of 1516	3368	kino0842.exe	en140071.exe
PID 3368 wrote to memory of 1516	3368	kino0842.exe	en140071.exe
PID 3368 wrote to memory of 1516	3368	kino0842.exe	en140071.exe
PID 1116 wrote to memory of 4788	1116	9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe	ge005699.exe
PID 1116 wrote to memory of 4788	1116	9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe	ge005699.exe
PID 1116 wrote to memory of 4788	1116	9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe	ge005699.exe
PID 4788 wrote to memory of 4736	4788	ge005699.exe	metafor.exe
PID 4788 wrote to memory of 4736	4788	ge005699.exe	metafor.exe
PID 4788 wrote to memory of 4736	4788	ge005699.exe	metafor.exe
PID 4736 wrote to memory of 3964	4736	metafor.exe	schtasks.exe
PID 4736 wrote to memory of 3964	4736	metafor.exe	schtasks.exe
PID 4736 wrote to memory of 3964	4736	metafor.exe	schtasks.exe
PID 4736 wrote to memory of 4852	4736	metafor.exe	cmd.exe
PID 4736 wrote to memory of 4852	4736	metafor.exe	cmd.exe
PID 4736 wrote to memory of 4852	4736	metafor.exe	cmd.exe
PID 4852 wrote to memory of 3476	4852	cmd.exe	cmd.exe
PID 4852 wrote to memory of 3476	4852	cmd.exe	cmd.exe
PID 4852 wrote to memory of 3476	4852	cmd.exe	cmd.exe
PID 4852 wrote to memory of 2800	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 2800	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 2800	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 4612	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 4612	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 4612	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 4372	4852	cmd.exe	cmd.exe
PID 4852 wrote to memory of 4372	4852	cmd.exe	cmd.exe
PID 4852 wrote to memory of 4372	4852	cmd.exe	cmd.exe
PID 4852 wrote to memory of 4980	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 4980	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 4980	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 3376	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 3376	4852	cmd.exe	cacls.exe
PID 4852 wrote to memory of 3376	4852	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe
"C:\Users\Admin\AppData\Local\Temp\9ad2b51503858079de212d2b42dfa66e5f81073d8447365ce51a2fffcd360383.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino0842.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino0842.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8803.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8803.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0931.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0931.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7624.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7624.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5960.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5960.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1084
        6⤵
        Program crash
        
        PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFE61s12.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFE61s12.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1196
        5⤵
        Program crash
        
        PID:1240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en140071.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en140071.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge005699.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge005699.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3476
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2104 -ip 2104
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3456 -ip 3456
1⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge005699.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge005699.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino0842.exe

Filesize
828KB

MD5
af9849f622c7186d32e8cc344f01a74f

SHA1
3188cbe7fc89742f0c6c56e613e10c8fbfb9e716

SHA256
caf0f3a9695643112e04eae7c64c508d331a3b3dd5d64c1a8abad10689a63ceb

SHA512
e331c8379e518ee7b3064e29286178c13399ace6276550eb18183a576e2e4d3c7ec31ea1f59949e574c58eb6824657358aa82fca8d92efce87db0db754bdfc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino0842.exe

Filesize
828KB

MD5
af9849f622c7186d32e8cc344f01a74f

SHA1
3188cbe7fc89742f0c6c56e613e10c8fbfb9e716

SHA256
caf0f3a9695643112e04eae7c64c508d331a3b3dd5d64c1a8abad10689a63ceb

SHA512
e331c8379e518ee7b3064e29286178c13399ace6276550eb18183a576e2e4d3c7ec31ea1f59949e574c58eb6824657358aa82fca8d92efce87db0db754bdfc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en140071.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en140071.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8803.exe

Filesize
686KB

MD5
bde512aaa7b89d66ecf500fba50066ed

SHA1
82eae65ed0337400767a1f0c1a9eb5d1401a1f0f

SHA256
ec801d843c631bbc327b73b41701bec1ab791125d6fefc1e2f55c9732cf93e81

SHA512
6fd31309c529f1c275c3213a1f54f9632e4b023b7b3540bad94eb6caa4e7def629f951f954080ba47434d643ccfd2c4f2cd6d64646e538d24748e48d9a387d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8803.exe

Filesize
686KB

MD5
bde512aaa7b89d66ecf500fba50066ed

SHA1
82eae65ed0337400767a1f0c1a9eb5d1401a1f0f

SHA256
ec801d843c631bbc327b73b41701bec1ab791125d6fefc1e2f55c9732cf93e81

SHA512
6fd31309c529f1c275c3213a1f54f9632e4b023b7b3540bad94eb6caa4e7def629f951f954080ba47434d643ccfd2c4f2cd6d64646e538d24748e48d9a387d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFE61s12.exe

Filesize
356KB

MD5
380b33e26d3b5bbb238487dca5757b95

SHA1
55fb4b64de0ea0b418a58ec879af1c8384772717

SHA256
ad497e14cdb521927f898f580ce63bbfa79c7010b768551934f33d5c86128856

SHA512
8f4b3249ded733c5ef0a643e439dc07db39fd6be25b33e3fe50d787a8e0e9212088f8f42f871b53df61246191f8de4f71379b17c4ddf4b8c27e04cb0cd76fdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFE61s12.exe

Filesize
356KB

MD5
380b33e26d3b5bbb238487dca5757b95

SHA1
55fb4b64de0ea0b418a58ec879af1c8384772717

SHA256
ad497e14cdb521927f898f580ce63bbfa79c7010b768551934f33d5c86128856

SHA512
8f4b3249ded733c5ef0a643e439dc07db39fd6be25b33e3fe50d787a8e0e9212088f8f42f871b53df61246191f8de4f71379b17c4ddf4b8c27e04cb0cd76fdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0931.exe

Filesize
340KB

MD5
dab41f89ac935236423a75be13835905

SHA1
811e133401b16ec8cc69fd4fa15f01b5a017c1c7

SHA256
8b3f99e9aa529f3d2e8e49a1ff060cb57778229e03ca48ae7dd01a032b92511c

SHA512
d5fbdfe370b576e8e8a1b0fb8cc466ffd2a2aba225135f579cd59ab2e923a5e5b4cfae78f5e443810f8c6197ade3b16d200c072ad49de0f3b8a9c821eb68b6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino0931.exe

Filesize
340KB

MD5
dab41f89ac935236423a75be13835905

SHA1
811e133401b16ec8cc69fd4fa15f01b5a017c1c7

SHA256
8b3f99e9aa529f3d2e8e49a1ff060cb57778229e03ca48ae7dd01a032b92511c

SHA512
d5fbdfe370b576e8e8a1b0fb8cc466ffd2a2aba225135f579cd59ab2e923a5e5b4cfae78f5e443810f8c6197ade3b16d200c072ad49de0f3b8a9c821eb68b6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7624.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7624.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5960.exe

Filesize
298KB

MD5
a79a776775df048d347c628527beecfc

SHA1
d31fcdebc3a667d1ad7d29fd1e6e251e8b3d3f8b

SHA256
bee55d6c941abe1b95cd93be1663ab198351c8c6154125e2d86db62c62041b99

SHA512
4bc7a504c43f8e8b4af83010175bc942635fcd93ef5157c9d16558015964ec327c39f98dc06e142a702ae1708bcc0980d48586415a7559a174a9bb5df0fbe48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5960.exe

Filesize
298KB

MD5
a79a776775df048d347c628527beecfc

SHA1
d31fcdebc3a667d1ad7d29fd1e6e251e8b3d3f8b

SHA256
bee55d6c941abe1b95cd93be1663ab198351c8c6154125e2d86db62c62041b99

SHA512
4bc7a504c43f8e8b4af83010175bc942635fcd93ef5157c9d16558015964ec327c39f98dc06e142a702ae1708bcc0980d48586415a7559a174a9bb5df0fbe48d

Download Submit
memory/1516-1140-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/1516-1139-0x0000000000EB0000-0x0000000000EE2000-memory.dmp

Filesize
200KB

Download
memory/2104-177-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/2104-189-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-191-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-187-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-185-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-183-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-193-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-195-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-197-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-199-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-181-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-201-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2104-202-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2104-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/2104-179-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-175-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-173-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-172-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/2104-171-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2104-169-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2104-170-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/2104-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/2104-167-0x00000000073C0000-0x0000000007964000-memory.dmp

Filesize
5.6MB

Download
memory/3456-216-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-225-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-227-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-229-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-231-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-233-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-235-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-237-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-239-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-241-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-243-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-245-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-1118-0x0000000007990000-0x0000000007FA8000-memory.dmp

Filesize
6.1MB

Download
memory/3456-1119-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/3456-1120-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/3456-1121-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/3456-1122-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3456-1124-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/3456-1125-0x0000000008A90000-0x0000000008B22000-memory.dmp

Filesize
584KB

Download
memory/3456-1126-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/3456-1127-0x0000000008D50000-0x000000000927C000-memory.dmp

Filesize
5.2MB

Download
memory/3456-1128-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3456-1129-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3456-1130-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3456-1131-0x00000000095F0000-0x0000000009666000-memory.dmp

Filesize
472KB

Download
memory/3456-223-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3456-222-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-221-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3456-219-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/3456-218-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-214-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-212-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-210-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-209-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/3456-1132-0x0000000009680000-0x00000000096D0000-memory.dmp

Filesize
320KB

Download
memory/3456-1134-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4792-161-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download