amadey | 50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0

Analysis

max time kernel
134s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe
Size

1011KB
MD5

5e5576c4fdff80b655fb4ffbd79cb48e
SHA1

a44cd71c13cbd6ee39388055ebdf9a59d8a28750
SHA256

50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0
SHA512

07ff369404d3c54e393e822808d12c98e01c0f78190bde1dd58583aeea04eb2ab0408eca5974d12239331d9839a470ce66592d5b5859166a5fc9190c77b37059
SSDEEP

24576:PyxBH33SsJP2/QcE6J8CBMYsnfvRjtFcSm:axNSPu69SfJj

Score

10^/10

amadey redline boris volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus7761.execor5812.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus7761.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor5812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor5812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor5812.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus7761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus7761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus7761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus7761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus7761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor5812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor5812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor5812.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2876-209-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-210-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-212-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-214-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-216-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-218-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-220-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-222-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-224-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-226-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-228-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-230-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-232-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-234-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-236-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-238-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-242-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-240-0x0000000004C00000-0x0000000004C3F000-memory.dmp	family_redline
behavioral1/memory/2876-1129-0x0000000004980000-0x0000000004990000-memory.dmp	family_redline
behavioral1/memory/2876-1127-0x0000000004980000-0x0000000004990000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge632142.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge632142.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino2099.exekino8872.exekino1587.exebus7761.execor5812.exedgV51s96.exeen866592.exege632142.exemetafor.exemetafor.exemetafor.exe

pid	process
4488	kino2099.exe
1516	kino8872.exe
3824	kino1587.exe
4124	bus7761.exe
4340	cor5812.exe
2876	dgV51s96.exe
3780	en866592.exe
4232	ge632142.exe
3416	metafor.exe
1964	metafor.exe
1080	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus7761.execor5812.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus7761.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor5812.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor5812.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino1587.exe50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exekino2099.exekino8872.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino1587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino1587.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2099.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino2099.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8872.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino8872.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3724 4340 WerFault.exe cor5812.exe
5088 2876 WerFault.exe dgV51s96.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1232 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus7761.execor5812.exedgV51s96.exeen866592.exe

pid process

4124 bus7761.exe
4124 bus7761.exe
4340 cor5812.exe
4340 cor5812.exe
2876 dgV51s96.exe
2876 dgV51s96.exe
3780 en866592.exe
3780 en866592.exe

pid	pid_target	process	target process
3724	4340	WerFault.exe	cor5812.exe
5088	2876	WerFault.exe	dgV51s96.exe

pid	process
1232	schtasks.exe

pid	process
4124	bus7761.exe
4124	bus7761.exe
4340	cor5812.exe
4340	cor5812.exe
2876	dgV51s96.exe
2876	dgV51s96.exe
3780	en866592.exe
3780	en866592.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus7761.execor5812.exedgV51s96.exeen866592.exe

description	pid	process
Token: SeDebugPrivilege	4124	bus7761.exe
Token: SeDebugPrivilege	4340	cor5812.exe
Token: SeDebugPrivilege	2876	dgV51s96.exe
Token: SeDebugPrivilege	3780	en866592.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exekino2099.exekino8872.exekino1587.exege632142.exemetafor.execmd.exe

description	pid	process	target process
PID 4144 wrote to memory of 4488	4144	50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe	kino2099.exe
PID 4144 wrote to memory of 4488	4144	50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe	kino2099.exe
PID 4144 wrote to memory of 4488	4144	50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe	kino2099.exe
PID 4488 wrote to memory of 1516	4488	kino2099.exe	kino8872.exe
PID 4488 wrote to memory of 1516	4488	kino2099.exe	kino8872.exe
PID 4488 wrote to memory of 1516	4488	kino2099.exe	kino8872.exe
PID 1516 wrote to memory of 3824	1516	kino8872.exe	kino1587.exe
PID 1516 wrote to memory of 3824	1516	kino8872.exe	kino1587.exe
PID 1516 wrote to memory of 3824	1516	kino8872.exe	kino1587.exe
PID 3824 wrote to memory of 4124	3824	kino1587.exe	bus7761.exe
PID 3824 wrote to memory of 4124	3824	kino1587.exe	bus7761.exe
PID 3824 wrote to memory of 4340	3824	kino1587.exe	cor5812.exe
PID 3824 wrote to memory of 4340	3824	kino1587.exe	cor5812.exe
PID 3824 wrote to memory of 4340	3824	kino1587.exe	cor5812.exe
PID 1516 wrote to memory of 2876	1516	kino8872.exe	dgV51s96.exe
PID 1516 wrote to memory of 2876	1516	kino8872.exe	dgV51s96.exe
PID 1516 wrote to memory of 2876	1516	kino8872.exe	dgV51s96.exe
PID 4488 wrote to memory of 3780	4488	kino2099.exe	en866592.exe
PID 4488 wrote to memory of 3780	4488	kino2099.exe	en866592.exe
PID 4488 wrote to memory of 3780	4488	kino2099.exe	en866592.exe
PID 4144 wrote to memory of 4232	4144	50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe	ge632142.exe
PID 4144 wrote to memory of 4232	4144	50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe	ge632142.exe
PID 4144 wrote to memory of 4232	4144	50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe	ge632142.exe
PID 4232 wrote to memory of 3416	4232	ge632142.exe	metafor.exe
PID 4232 wrote to memory of 3416	4232	ge632142.exe	metafor.exe
PID 4232 wrote to memory of 3416	4232	ge632142.exe	metafor.exe
PID 3416 wrote to memory of 1232	3416	metafor.exe	schtasks.exe
PID 3416 wrote to memory of 1232	3416	metafor.exe	schtasks.exe
PID 3416 wrote to memory of 1232	3416	metafor.exe	schtasks.exe
PID 3416 wrote to memory of 4968	3416	metafor.exe	cmd.exe
PID 3416 wrote to memory of 4968	3416	metafor.exe	cmd.exe
PID 3416 wrote to memory of 4968	3416	metafor.exe	cmd.exe
PID 4968 wrote to memory of 2028	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 2028	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 2028	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 3724	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 3724	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 3724	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 2928	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 2928	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 2928	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 1172	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 1172	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 1172	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 3824	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 3824	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 3824	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 2188	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 2188	4968	cmd.exe	cacls.exe
PID 4968 wrote to memory of 2188	4968	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe
"C:\Users\Admin\AppData\Local\Temp\50b5e926533dd2e51dff556456fa3952bdca979988e42edc3e3165b4487ddaf0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2099.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2099.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8872.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8872.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1587.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1587.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7761.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7761.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5812.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5812.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1088
        6⤵
        Program crash
        
        PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dgV51s96.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dgV51s96.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1352
        5⤵
        Program crash
        
        PID:5088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en866592.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en866592.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge632142.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge632142.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:3724
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:3824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4340 -ip 4340
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2876 -ip 2876
1⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge632142.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge632142.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2099.exe

Filesize
829KB

MD5
bfbee83ec374fdcf189e5476b36089d6

SHA1
3158ce4b5880f1ba7a0e653af2f328cc74c1dc12

SHA256
730f5449b76b9e73f6d8c078341d59ed20d48f1dcae4a3fed0e2862267baf827

SHA512
957d97411a802258e21175ce290f445dac28499bb8c78aefa2383bacf25ccfae477fafe4a147a448bfaa93c2deb6a8acd12d6e696a8adb44863fc8563dcf35fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2099.exe

Filesize
829KB

MD5
bfbee83ec374fdcf189e5476b36089d6

SHA1
3158ce4b5880f1ba7a0e653af2f328cc74c1dc12

SHA256
730f5449b76b9e73f6d8c078341d59ed20d48f1dcae4a3fed0e2862267baf827

SHA512
957d97411a802258e21175ce290f445dac28499bb8c78aefa2383bacf25ccfae477fafe4a147a448bfaa93c2deb6a8acd12d6e696a8adb44863fc8563dcf35fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en866592.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en866592.exe

Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8872.exe

Filesize
686KB

MD5
befdf5c895b63ad30568c0d803822508

SHA1
99cd9558fa73b2119e9e56463467129173b13904

SHA256
f1c68f3a96a9df9b625b6d7ed747c61ff344634eac56ff1abc95b9c0468078ab

SHA512
b008fa66e98964b53eea4f11eae78097c4e8aafffe0bb379b19b4f03ef98c9026da457a6426c5d877883f4b680d3f74aac04609554e92232ac3f07ff6b3e0d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8872.exe

Filesize
686KB

MD5
befdf5c895b63ad30568c0d803822508

SHA1
99cd9558fa73b2119e9e56463467129173b13904

SHA256
f1c68f3a96a9df9b625b6d7ed747c61ff344634eac56ff1abc95b9c0468078ab

SHA512
b008fa66e98964b53eea4f11eae78097c4e8aafffe0bb379b19b4f03ef98c9026da457a6426c5d877883f4b680d3f74aac04609554e92232ac3f07ff6b3e0d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dgV51s96.exe

Filesize
356KB

MD5
f3c980162c02bb28ea21657a50c78915

SHA1
5b3f08d9312a4bddc5b95a17bf9d59179e673c82

SHA256
63e0fe697049dc638636076726b460c29d4d780276a1dcdec984ea096a7ba574

SHA512
60d9af6603069162c4dd721703e42b4d07098a40a80a51bcdc6e2493451cd007e8da560ed02d14171671435b0a6c3a3978d09b578e6ef6b49346d7229ccf7921

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dgV51s96.exe

Filesize
356KB

MD5
f3c980162c02bb28ea21657a50c78915

SHA1
5b3f08d9312a4bddc5b95a17bf9d59179e673c82

SHA256
63e0fe697049dc638636076726b460c29d4d780276a1dcdec984ea096a7ba574

SHA512
60d9af6603069162c4dd721703e42b4d07098a40a80a51bcdc6e2493451cd007e8da560ed02d14171671435b0a6c3a3978d09b578e6ef6b49346d7229ccf7921

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1587.exe

Filesize
340KB

MD5
5c43ddd2afdf45e819eb08cafc97ddb6

SHA1
a790b31b5e173507938adf823e073d4b76ef354b

SHA256
9a7c95f2a2e63b6c3a7cf380bd6600325b514e34442c79458e505ed2c129909c

SHA512
5f6e6f44f46fc5d2adc082994e30ff2f0b1a6c95fa289499a2208182185afa1e71e0d4f5f4105a6b0b2cb1dc6103b634e921cdc45ce5b435578e11eccf4fac8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1587.exe

Filesize
340KB

MD5
5c43ddd2afdf45e819eb08cafc97ddb6

SHA1
a790b31b5e173507938adf823e073d4b76ef354b

SHA256
9a7c95f2a2e63b6c3a7cf380bd6600325b514e34442c79458e505ed2c129909c

SHA512
5f6e6f44f46fc5d2adc082994e30ff2f0b1a6c95fa289499a2208182185afa1e71e0d4f5f4105a6b0b2cb1dc6103b634e921cdc45ce5b435578e11eccf4fac8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7761.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7761.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5812.exe

Filesize
298KB

MD5
79edfcc511143eea161b3832f0a41b03

SHA1
8587df30e50451361807eb7c86ee45d9bab3bb3d

SHA256
67b9353b156fe212565535c6c2892e2125dec3c4c90bc7af465ffdb4b6198ad1

SHA512
0b8011b924874741d141665c2cf0c6522ec183031eba52399da217b8ef53a5f8aa994c73bb3ebb7171382fbdee0c766af97e44baf5b5eb5123c2f40e1eb73534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5812.exe

Filesize
298KB

MD5
79edfcc511143eea161b3832f0a41b03

SHA1
8587df30e50451361807eb7c86ee45d9bab3bb3d

SHA256
67b9353b156fe212565535c6c2892e2125dec3c4c90bc7af465ffdb4b6198ad1

SHA512
0b8011b924874741d141665c2cf0c6522ec183031eba52399da217b8ef53a5f8aa994c73bb3ebb7171382fbdee0c766af97e44baf5b5eb5123c2f40e1eb73534

Download Submit
memory/2876-1124-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/2876-238-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-1133-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2876-1132-0x0000000009420000-0x0000000009470000-memory.dmp

Filesize
320KB

Download
memory/2876-1131-0x00000000093A0000-0x0000000009416000-memory.dmp

Filesize
472KB

Download
memory/2876-1130-0x0000000008D20000-0x000000000924C000-memory.dmp

Filesize
5.2MB

Download
memory/2876-1127-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2876-1128-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2876-1129-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2876-1126-0x0000000008B40000-0x0000000008D02000-memory.dmp

Filesize
1.8MB

Download
memory/2876-1125-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/2876-1122-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/2876-1121-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2876-1120-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2876-1119-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/2876-1118-0x00000000077A0000-0x0000000007DB8000-memory.dmp

Filesize
6.1MB

Download
memory/2876-209-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-210-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-212-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-214-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-216-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-218-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-220-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-222-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-224-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-226-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-228-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-230-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-232-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-234-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-236-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-244-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/2876-242-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-240-0x0000000004C00000-0x0000000004C3F000-memory.dmp

Filesize
252KB

Download
memory/2876-247-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2876-248-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3780-1139-0x00000000009E0000-0x0000000000A12000-memory.dmp

Filesize
200KB

Download
memory/3780-1140-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4124-161-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/4340-178-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-190-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-202-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4340-184-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-200-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4340-199-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4340-198-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-196-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-194-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-192-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-188-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-201-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4340-186-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-176-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-172-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4340-182-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-174-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-171-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4340-170-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4340-169-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4340-168-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/4340-167-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/4340-180-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download