amadey | a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0

Analysis

max time kernel
134s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe
Size

1011KB
MD5

c845a7009ef3e4873938d0d9cf6b56d1
SHA1

87e9843ee14d1d9297ed2a28a1abae94e850d4d3
SHA256

a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0
SHA512

baf623bdc6853d4b0f12b0015471ff9e9ade1f6ba92dfecde6c9590b70e465775a1fe2cb6d33b5668d311bfcb0832e3e00e511e2ef14e92e9f4833a941116043
SSDEEP

12288:HMrey9089olKgvKI1+tj4aP8DXFIoUTWTt/Obt1SgaU7kvO2dngLxb+v38RG2MKk:NyoKW1+p4aEDXaorKSuk3dgsYG2MeQH

Score

10^/10

amadey redline down volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus3010.execor3643.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus3010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus3010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor3643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor3643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor3643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus3010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus3010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus3010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus3010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor3643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor3643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor3643.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3144-210-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-211-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-213-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-215-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-217-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-224-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-220-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-227-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-229-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-231-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-233-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-235-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-237-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-239-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-241-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-243-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-245-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-247-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral1/memory/3144-1129-0x0000000002DF0000-0x0000000002E00000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge896593.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge896593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino2715.exekino9671.exekino2982.exebus3010.execor3643.exedYI50s29.exeen614972.exege896593.exemetafor.exemetafor.exemetafor.exe

pid	process
1376	kino2715.exe
2416	kino9671.exe
3488	kino2982.exe
2820	bus3010.exe
3160	cor3643.exe
3144	dYI50s29.exe
4632	en614972.exe
404	ge896593.exe
3176	metafor.exe
2568	metafor.exe
4576	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor3643.exebus3010.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor3643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus3010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor3643.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino2982.exea779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exekino2715.exekino9671.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino2982.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino2715.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino9671.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2982.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

928 3160 WerFault.exe cor3643.exe
1420 3144 WerFault.exe dYI50s29.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2752 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus3010.execor3643.exedYI50s29.exeen614972.exe

pid process

2820 bus3010.exe
2820 bus3010.exe
3160 cor3643.exe
3160 cor3643.exe
3144 dYI50s29.exe
3144 dYI50s29.exe
4632 en614972.exe
4632 en614972.exe

pid	pid_target	process	target process
928	3160	WerFault.exe	cor3643.exe
1420	3144	WerFault.exe	dYI50s29.exe

pid	process
2752	schtasks.exe

pid	process
2820	bus3010.exe
2820	bus3010.exe
3160	cor3643.exe
3160	cor3643.exe
3144	dYI50s29.exe
3144	dYI50s29.exe
4632	en614972.exe
4632	en614972.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus3010.execor3643.exedYI50s29.exeen614972.exe

description	pid	process
Token: SeDebugPrivilege	2820	bus3010.exe
Token: SeDebugPrivilege	3160	cor3643.exe
Token: SeDebugPrivilege	3144	dYI50s29.exe
Token: SeDebugPrivilege	4632	en614972.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exekino2715.exekino9671.exekino2982.exege896593.exemetafor.execmd.exe

description	pid	process	target process
PID 476 wrote to memory of 1376	476	a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe	kino2715.exe
PID 476 wrote to memory of 1376	476	a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe	kino2715.exe
PID 476 wrote to memory of 1376	476	a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe	kino2715.exe
PID 1376 wrote to memory of 2416	1376	kino2715.exe	kino9671.exe
PID 1376 wrote to memory of 2416	1376	kino2715.exe	kino9671.exe
PID 1376 wrote to memory of 2416	1376	kino2715.exe	kino9671.exe
PID 2416 wrote to memory of 3488	2416	kino9671.exe	kino2982.exe
PID 2416 wrote to memory of 3488	2416	kino9671.exe	kino2982.exe
PID 2416 wrote to memory of 3488	2416	kino9671.exe	kino2982.exe
PID 3488 wrote to memory of 2820	3488	kino2982.exe	bus3010.exe
PID 3488 wrote to memory of 2820	3488	kino2982.exe	bus3010.exe
PID 3488 wrote to memory of 3160	3488	kino2982.exe	cor3643.exe
PID 3488 wrote to memory of 3160	3488	kino2982.exe	cor3643.exe
PID 3488 wrote to memory of 3160	3488	kino2982.exe	cor3643.exe
PID 2416 wrote to memory of 3144	2416	kino9671.exe	dYI50s29.exe
PID 2416 wrote to memory of 3144	2416	kino9671.exe	dYI50s29.exe
PID 2416 wrote to memory of 3144	2416	kino9671.exe	dYI50s29.exe
PID 1376 wrote to memory of 4632	1376	kino2715.exe	en614972.exe
PID 1376 wrote to memory of 4632	1376	kino2715.exe	en614972.exe
PID 1376 wrote to memory of 4632	1376	kino2715.exe	en614972.exe
PID 476 wrote to memory of 404	476	a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe	ge896593.exe
PID 476 wrote to memory of 404	476	a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe	ge896593.exe
PID 476 wrote to memory of 404	476	a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe	ge896593.exe
PID 404 wrote to memory of 3176	404	ge896593.exe	metafor.exe
PID 404 wrote to memory of 3176	404	ge896593.exe	metafor.exe
PID 404 wrote to memory of 3176	404	ge896593.exe	metafor.exe
PID 3176 wrote to memory of 2752	3176	metafor.exe	schtasks.exe
PID 3176 wrote to memory of 2752	3176	metafor.exe	schtasks.exe
PID 3176 wrote to memory of 2752	3176	metafor.exe	schtasks.exe
PID 3176 wrote to memory of 3984	3176	metafor.exe	cmd.exe
PID 3176 wrote to memory of 3984	3176	metafor.exe	cmd.exe
PID 3176 wrote to memory of 3984	3176	metafor.exe	cmd.exe
PID 3984 wrote to memory of 4860	3984	cmd.exe	cmd.exe
PID 3984 wrote to memory of 4860	3984	cmd.exe	cmd.exe
PID 3984 wrote to memory of 4860	3984	cmd.exe	cmd.exe
PID 3984 wrote to memory of 4856	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 4856	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 4856	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 3400	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 3400	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 3400	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 3112	3984	cmd.exe	cmd.exe
PID 3984 wrote to memory of 3112	3984	cmd.exe	cmd.exe
PID 3984 wrote to memory of 3112	3984	cmd.exe	cmd.exe
PID 3984 wrote to memory of 3208	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 3208	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 3208	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 4056	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 4056	3984	cmd.exe	cacls.exe
PID 3984 wrote to memory of 4056	3984	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe
"C:\Users\Admin\AppData\Local\Temp\a779c025cfefad2e60e151c12124dd6dbe04eb1576f113bc7b5cb0f75447d9d0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2715.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2715.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9671.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9671.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2982.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2982.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3010.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3010.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3643.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3643.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1076
        6⤵
        Program crash
        
        PID:928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dYI50s29.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dYI50s29.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1340
        5⤵
        Program crash
        
        PID:1420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en614972.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en614972.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge896593.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge896593.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:3400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3112
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3160 -ip 3160
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3144 -ip 3144
1⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge896593.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge896593.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2715.exe

Filesize
829KB

MD5
be7b257342e6517f4aaf6aa8bffc21f7

SHA1
59e802bdc2953360faafce4dbb888fdd8deae548

SHA256
9bcc38ea195bbf336cafd5cdde9bf3b35f823ea7b272d47bfdb7f848cd8defb0

SHA512
1defd5054ea8e89785623dcfa01cc96a15f91159ec8c6ac8496ba25d7143a9e1c4f5d50e8d325e254c3e84e35ef39977bbd7c49f9ff6075fe70e528d1d142c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2715.exe

Filesize
829KB

MD5
be7b257342e6517f4aaf6aa8bffc21f7

SHA1
59e802bdc2953360faafce4dbb888fdd8deae548

SHA256
9bcc38ea195bbf336cafd5cdde9bf3b35f823ea7b272d47bfdb7f848cd8defb0

SHA512
1defd5054ea8e89785623dcfa01cc96a15f91159ec8c6ac8496ba25d7143a9e1c4f5d50e8d325e254c3e84e35ef39977bbd7c49f9ff6075fe70e528d1d142c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en614972.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en614972.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9671.exe

Filesize
686KB

MD5
af5c914e3f4f449255760459c838bb68

SHA1
96254b2821c3bd7bc9f240fc3a4daadd849f4251

SHA256
de40c7dbff2edbc79b886233dab86070904df3b3b5fc52604eff70d51541500c

SHA512
9101cb599f58b2cd243c98158ab6041fa7ba93951d3104d940d12c9e7851a3b32b48148d9f0f50d9ddc2f6120c0a835a9683f0fe45a1bef4bab342bf3c77a1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9671.exe

Filesize
686KB

MD5
af5c914e3f4f449255760459c838bb68

SHA1
96254b2821c3bd7bc9f240fc3a4daadd849f4251

SHA256
de40c7dbff2edbc79b886233dab86070904df3b3b5fc52604eff70d51541500c

SHA512
9101cb599f58b2cd243c98158ab6041fa7ba93951d3104d940d12c9e7851a3b32b48148d9f0f50d9ddc2f6120c0a835a9683f0fe45a1bef4bab342bf3c77a1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dYI50s29.exe

Filesize
356KB

MD5
a72f340dcce871e8d6709ec3f717dab7

SHA1
7c05022e225d69521cd9cc4a99bcea242c5708e7

SHA256
fafe1730c25e53bc644c336daedcbe2e84f56a5cee03079e8aee527d6a5d2d03

SHA512
59c164716b9b7758baef07c1f06e35c0e37634e60962f7826ad291f5d5ccb051dd10fa518fc18371221bcb07529cc181e9e5a230b5e8d9e16940040196bdb658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dYI50s29.exe

Filesize
356KB

MD5
a72f340dcce871e8d6709ec3f717dab7

SHA1
7c05022e225d69521cd9cc4a99bcea242c5708e7

SHA256
fafe1730c25e53bc644c336daedcbe2e84f56a5cee03079e8aee527d6a5d2d03

SHA512
59c164716b9b7758baef07c1f06e35c0e37634e60962f7826ad291f5d5ccb051dd10fa518fc18371221bcb07529cc181e9e5a230b5e8d9e16940040196bdb658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2982.exe

Filesize
340KB

MD5
797c69c5181d72d3bd862c234254a8ed

SHA1
d3b96e176d2b6b9ce07f30b7d2e48f048c111460

SHA256
801d3ef0ba7b49ccb83cb86c8d7c9c3ba467cca02090ff7b7b5c70507faa83a9

SHA512
8eb08282372f966f318b3c4b4179dc8158bd82e9568982698467c8b53685ccdd45cedfea9bcf70f51379aafdc583751546fcf98b2a89cc0871448597b002e49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2982.exe

Filesize
340KB

MD5
797c69c5181d72d3bd862c234254a8ed

SHA1
d3b96e176d2b6b9ce07f30b7d2e48f048c111460

SHA256
801d3ef0ba7b49ccb83cb86c8d7c9c3ba467cca02090ff7b7b5c70507faa83a9

SHA512
8eb08282372f966f318b3c4b4179dc8158bd82e9568982698467c8b53685ccdd45cedfea9bcf70f51379aafdc583751546fcf98b2a89cc0871448597b002e49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3010.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3010.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3643.exe

Filesize
298KB

MD5
4cf18aff76dbaaed3b9f0e4389774624

SHA1
6662d0c2c5b5f8a58b94a3772c7117463de5806f

SHA256
e136e95c9bc98d3ec45d47386f0e483b622a2f22f43990c2e8eec6ddee716d37

SHA512
0c41453e169bf2765ff652cfdb66de68479e1419fd055227ea76cc857e789cb203fe03e0f8c16afef0a6869e37cf1b16102dc073031ff7673c5fbcf524932f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3643.exe

Filesize
298KB

MD5
4cf18aff76dbaaed3b9f0e4389774624

SHA1
6662d0c2c5b5f8a58b94a3772c7117463de5806f

SHA256
e136e95c9bc98d3ec45d47386f0e483b622a2f22f43990c2e8eec6ddee716d37

SHA512
0c41453e169bf2765ff652cfdb66de68479e1419fd055227ea76cc857e789cb203fe03e0f8c16afef0a6869e37cf1b16102dc073031ff7673c5fbcf524932f88

Download Submit
memory/2820-161-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/3144-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3144-235-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-1135-0x000000000A970000-0x000000000A9C0000-memory.dmp

Filesize
320KB

Download
memory/3144-1134-0x000000000A8F0000-0x000000000A966000-memory.dmp

Filesize
472KB

Download
memory/3144-1133-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3144-1132-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/3144-1131-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3144-1130-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3144-1129-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3144-1128-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/3144-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3144-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3144-1124-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3144-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3144-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3144-1120-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/3144-210-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-211-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-213-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-215-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-217-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-219-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/3144-221-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3144-223-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3144-224-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-220-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-226-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3144-227-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-229-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-231-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-233-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-247-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-237-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-239-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-241-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-243-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3144-245-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/3160-193-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-167-0x0000000007190000-0x0000000007734000-memory.dmp

Filesize
5.6MB

Download
memory/3160-185-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/3160-179-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-203-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3160-202-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3160-201-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3160-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/3160-199-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-197-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-195-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-183-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-181-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-172-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-187-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-177-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-175-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-191-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/3160-173-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-189-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/3160-171-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3160-170-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3160-169-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4632-1142-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4632-1141-0x0000000000210000-0x0000000000242000-memory.dmp

Filesize
200KB

Download