amadey | d86795f4789d57a7355afd89f5db02e3b5c2b404a413ddcbd0d6924e94c52d02

Analysis

max time kernel
136s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe
Size

1.0MB
MD5

5e7c5b6487f6d543fcf04767ecb616ac
SHA1

88b0c5f020b5b65415ba3029ededfdaef92a6a85
SHA256

eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac
SHA512

74a628b1e314354d7ee09647c5b030052e6159ed2c4d2a981cbb090541b1702dcea016e2a1282ca2ab58b2e02eeb962ee6e9fcb9bb62211162270c08f779a3f8
SSDEEP

24576:Wy/dKJDSoz1G4YfR5Hde7gaFRkMW5EqiibubxUpf:l/dKQoz1G4u9ecqkVUs4S

Score

10^/10

amadey redline boris braza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

braza

193.233.20.32:4125

Attributes

auth_value
ebe61b54deeef75cf8466416c0857088

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu905991.execor9535.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu905991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu905991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu905991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor9535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor9535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor9535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor9535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu905991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu905991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu905991.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor9535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor9535.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4252-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-209-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-218-0x0000000007230000-0x0000000007240000-memory.dmp	family_redline
behavioral2/memory/4252-219-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-221-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-223-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-225-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-227-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-229-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-231-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-233-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-235-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-237-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-239-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-241-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-243-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral2/memory/4252-245-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge044815.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge044815.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kina8564.exekina7425.exekina3305.exebu905991.execor9535.exedKW93s85.exeen082795.exege044815.exemetafor.exemetafor.exemetafor.exe

pid	process
2656	kina8564.exe
2404	kina7425.exe
4520	kina3305.exe
2720	bu905991.exe
1288	cor9535.exe
4252	dKW93s85.exe
2224	en082795.exe
1744	ge044815.exe
3124	metafor.exe
1280	metafor.exe
2356	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu905991.execor9535.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu905991.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor9535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor9535.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina8564.exekina7425.exekina3305.exeeda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina8564.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina7425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina7425.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina3305.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina8564.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2916 1288 WerFault.exe cor9535.exe
4924 4252 WerFault.exe dKW93s85.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1888 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu905991.execor9535.exedKW93s85.exeen082795.exe

pid process

2720 bu905991.exe
2720 bu905991.exe
1288 cor9535.exe
1288 cor9535.exe
4252 dKW93s85.exe
4252 dKW93s85.exe
2224 en082795.exe
2224 en082795.exe

pid	pid_target	process	target process
2916	1288	WerFault.exe	cor9535.exe
4924	4252	WerFault.exe	dKW93s85.exe

pid	process
1888	schtasks.exe

pid	process
2720	bu905991.exe
2720	bu905991.exe
1288	cor9535.exe
1288	cor9535.exe
4252	dKW93s85.exe
4252	dKW93s85.exe
2224	en082795.exe
2224	en082795.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu905991.execor9535.exedKW93s85.exeen082795.exe

description	pid	process
Token: SeDebugPrivilege	2720	bu905991.exe
Token: SeDebugPrivilege	1288	cor9535.exe
Token: SeDebugPrivilege	4252	dKW93s85.exe
Token: SeDebugPrivilege	2224	en082795.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exekina8564.exekina7425.exekina3305.exege044815.exemetafor.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 2656	1600	eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe	kina8564.exe
PID 1600 wrote to memory of 2656	1600	eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe	kina8564.exe
PID 1600 wrote to memory of 2656	1600	eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe	kina8564.exe
PID 2656 wrote to memory of 2404	2656	kina8564.exe	kina7425.exe
PID 2656 wrote to memory of 2404	2656	kina8564.exe	kina7425.exe
PID 2656 wrote to memory of 2404	2656	kina8564.exe	kina7425.exe
PID 2404 wrote to memory of 4520	2404	kina7425.exe	kina3305.exe
PID 2404 wrote to memory of 4520	2404	kina7425.exe	kina3305.exe
PID 2404 wrote to memory of 4520	2404	kina7425.exe	kina3305.exe
PID 4520 wrote to memory of 2720	4520	kina3305.exe	bu905991.exe
PID 4520 wrote to memory of 2720	4520	kina3305.exe	bu905991.exe
PID 4520 wrote to memory of 1288	4520	kina3305.exe	cor9535.exe
PID 4520 wrote to memory of 1288	4520	kina3305.exe	cor9535.exe
PID 4520 wrote to memory of 1288	4520	kina3305.exe	cor9535.exe
PID 2404 wrote to memory of 4252	2404	kina7425.exe	dKW93s85.exe
PID 2404 wrote to memory of 4252	2404	kina7425.exe	dKW93s85.exe
PID 2404 wrote to memory of 4252	2404	kina7425.exe	dKW93s85.exe
PID 2656 wrote to memory of 2224	2656	kina8564.exe	en082795.exe
PID 2656 wrote to memory of 2224	2656	kina8564.exe	en082795.exe
PID 2656 wrote to memory of 2224	2656	kina8564.exe	en082795.exe
PID 1600 wrote to memory of 1744	1600	eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe	ge044815.exe
PID 1600 wrote to memory of 1744	1600	eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe	ge044815.exe
PID 1600 wrote to memory of 1744	1600	eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe	ge044815.exe
PID 1744 wrote to memory of 3124	1744	ge044815.exe	metafor.exe
PID 1744 wrote to memory of 3124	1744	ge044815.exe	metafor.exe
PID 1744 wrote to memory of 3124	1744	ge044815.exe	metafor.exe
PID 3124 wrote to memory of 1888	3124	metafor.exe	schtasks.exe
PID 3124 wrote to memory of 1888	3124	metafor.exe	schtasks.exe
PID 3124 wrote to memory of 1888	3124	metafor.exe	schtasks.exe
PID 3124 wrote to memory of 4136	3124	metafor.exe	cmd.exe
PID 3124 wrote to memory of 4136	3124	metafor.exe	cmd.exe
PID 3124 wrote to memory of 4136	3124	metafor.exe	cmd.exe
PID 4136 wrote to memory of 3408	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 3408	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 3408	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 3656	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 3656	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 3656	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 2720	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 2720	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 2720	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 2896	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 2896	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 2896	4136	cmd.exe	cmd.exe
PID 4136 wrote to memory of 408	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 408	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 408	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 4020	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 4020	4136	cmd.exe	cacls.exe
PID 4136 wrote to memory of 4020	4136	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe
"C:\Users\Admin\AppData\Local\Temp\eda79afb5d162cda849d6b683b530aa45158cefb502adc56064993d3110289ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina8564.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina8564.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7425.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7425.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3305.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3305.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu905991.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu905991.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9535.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9535.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1084
        6⤵
        Program crash
        
        PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKW93s85.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKW93s85.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1340
        5⤵
        Program crash
        
        PID:4924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en082795.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en082795.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge044815.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge044815.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3408
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1288 -ip 1288
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4252 -ip 4252
1⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
361f3c0f5a1f5825e6f7e92a4c2c030b

SHA1
6fc8c1cc276b9ba947b1369431c3327b4315cb56

SHA256
0457b8e1e73402d898c1dfee08ed6ce33977077383dba6ab0514a55158d4cd13

SHA512
8fa815df1d59e602ded1f3616d105db599acbfcc084ea23ad83a958f926573380f178e18afb224b46ba2b9a3cf036d6eeb3cefab0956d64c60b2847f4b435024

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
361f3c0f5a1f5825e6f7e92a4c2c030b

SHA1
6fc8c1cc276b9ba947b1369431c3327b4315cb56

SHA256
0457b8e1e73402d898c1dfee08ed6ce33977077383dba6ab0514a55158d4cd13

SHA512
8fa815df1d59e602ded1f3616d105db599acbfcc084ea23ad83a958f926573380f178e18afb224b46ba2b9a3cf036d6eeb3cefab0956d64c60b2847f4b435024

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
361f3c0f5a1f5825e6f7e92a4c2c030b

SHA1
6fc8c1cc276b9ba947b1369431c3327b4315cb56

SHA256
0457b8e1e73402d898c1dfee08ed6ce33977077383dba6ab0514a55158d4cd13

SHA512
8fa815df1d59e602ded1f3616d105db599acbfcc084ea23ad83a958f926573380f178e18afb224b46ba2b9a3cf036d6eeb3cefab0956d64c60b2847f4b435024

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
361f3c0f5a1f5825e6f7e92a4c2c030b

SHA1
6fc8c1cc276b9ba947b1369431c3327b4315cb56

SHA256
0457b8e1e73402d898c1dfee08ed6ce33977077383dba6ab0514a55158d4cd13

SHA512
8fa815df1d59e602ded1f3616d105db599acbfcc084ea23ad83a958f926573380f178e18afb224b46ba2b9a3cf036d6eeb3cefab0956d64c60b2847f4b435024

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
361f3c0f5a1f5825e6f7e92a4c2c030b

SHA1
6fc8c1cc276b9ba947b1369431c3327b4315cb56

SHA256
0457b8e1e73402d898c1dfee08ed6ce33977077383dba6ab0514a55158d4cd13

SHA512
8fa815df1d59e602ded1f3616d105db599acbfcc084ea23ad83a958f926573380f178e18afb224b46ba2b9a3cf036d6eeb3cefab0956d64c60b2847f4b435024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge044815.exe

Filesize
226KB

MD5
361f3c0f5a1f5825e6f7e92a4c2c030b

SHA1
6fc8c1cc276b9ba947b1369431c3327b4315cb56

SHA256
0457b8e1e73402d898c1dfee08ed6ce33977077383dba6ab0514a55158d4cd13

SHA512
8fa815df1d59e602ded1f3616d105db599acbfcc084ea23ad83a958f926573380f178e18afb224b46ba2b9a3cf036d6eeb3cefab0956d64c60b2847f4b435024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge044815.exe

Filesize
226KB

MD5
361f3c0f5a1f5825e6f7e92a4c2c030b

SHA1
6fc8c1cc276b9ba947b1369431c3327b4315cb56

SHA256
0457b8e1e73402d898c1dfee08ed6ce33977077383dba6ab0514a55158d4cd13

SHA512
8fa815df1d59e602ded1f3616d105db599acbfcc084ea23ad83a958f926573380f178e18afb224b46ba2b9a3cf036d6eeb3cefab0956d64c60b2847f4b435024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina8564.exe

Filesize
856KB

MD5
89693b989fe4ba6ecaf254195d0728fa

SHA1
feefed5f97bb5fe74729223efd75aa5d20417f23

SHA256
076a17e992d25a6dc6b4dc51fb730159f090d00e98aa464f2e1962b1952a19ba

SHA512
d14e66fab5e7dea301d64fe6a3aded90e2b9cd7db07382b8d8588ad67e505259e30ae756d3ba57ff79953dcde3e0b13216eecc47f0934fb15ce0b421f19cc6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina8564.exe

Filesize
856KB

MD5
89693b989fe4ba6ecaf254195d0728fa

SHA1
feefed5f97bb5fe74729223efd75aa5d20417f23

SHA256
076a17e992d25a6dc6b4dc51fb730159f090d00e98aa464f2e1962b1952a19ba

SHA512
d14e66fab5e7dea301d64fe6a3aded90e2b9cd7db07382b8d8588ad67e505259e30ae756d3ba57ff79953dcde3e0b13216eecc47f0934fb15ce0b421f19cc6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en082795.exe

Filesize
175KB

MD5
69372dbe05c4248d2e8e3d66b8a56298

SHA1
94f907649aa0fe7f9c06347b9c7737e5c2ccd135

SHA256
a495511f0a87529d65c9dcb1431d97c7f672a695a45a96c9b3bfad96b4752830

SHA512
b7e36f7005e035b0170b1fec93bf4b501122e457cda649bb13053c97d45525a28c7a2b5a96996288e65b3f6fa30a428e31342e7f73cf4c313e6947e04773c3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en082795.exe

Filesize
175KB

MD5
69372dbe05c4248d2e8e3d66b8a56298

SHA1
94f907649aa0fe7f9c06347b9c7737e5c2ccd135

SHA256
a495511f0a87529d65c9dcb1431d97c7f672a695a45a96c9b3bfad96b4752830

SHA512
b7e36f7005e035b0170b1fec93bf4b501122e457cda649bb13053c97d45525a28c7a2b5a96996288e65b3f6fa30a428e31342e7f73cf4c313e6947e04773c3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7425.exe

Filesize
714KB

MD5
7e5eee7d83cf24bcb91918e881a8c0de

SHA1
c7345719391a23a6a75dc314964b36931172477a

SHA256
6a80f0ba3c58d648447f192227743dec23b73d9c5267de1b1443ab5dbb7d79c4

SHA512
59d46716f9fb9ad2483932402bfb1a94f4dd16782da0a8f1bfc80357a1ab5d60c632862f359b0ee418972dd6f766ccca6aad98b473142f882b266bc361ff24d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7425.exe

Filesize
714KB

MD5
7e5eee7d83cf24bcb91918e881a8c0de

SHA1
c7345719391a23a6a75dc314964b36931172477a

SHA256
6a80f0ba3c58d648447f192227743dec23b73d9c5267de1b1443ab5dbb7d79c4

SHA512
59d46716f9fb9ad2483932402bfb1a94f4dd16782da0a8f1bfc80357a1ab5d60c632862f359b0ee418972dd6f766ccca6aad98b473142f882b266bc361ff24d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKW93s85.exe

Filesize
384KB

MD5
e9f41525502c8d794ee4dfe3f443b8d1

SHA1
444c15a3fbc61579dfd65b01cb3218835e8caa1a

SHA256
5d1ad40b10af91b9e69121059d9cd4dc6cbb8bd4d7987adf44299d8c0db53c68

SHA512
eafed8cbd9dc3331c9c9174da8385d9e1aec250b10ed22ae6e890e2de5204e7559e6e4a7b9f158f4776e5b8ead6950c8a483bcedb5f3daef8ef19b2302db66cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKW93s85.exe

Filesize
384KB

MD5
e9f41525502c8d794ee4dfe3f443b8d1

SHA1
444c15a3fbc61579dfd65b01cb3218835e8caa1a

SHA256
5d1ad40b10af91b9e69121059d9cd4dc6cbb8bd4d7987adf44299d8c0db53c68

SHA512
eafed8cbd9dc3331c9c9174da8385d9e1aec250b10ed22ae6e890e2de5204e7559e6e4a7b9f158f4776e5b8ead6950c8a483bcedb5f3daef8ef19b2302db66cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3305.exe

Filesize
352KB

MD5
f147cbc11b4cfd0e07411e974977ca38

SHA1
617827f49a591116354287e9807ab15a927de9e1

SHA256
e20c34969615177c44ebf5444044117f18d475b4e7385d6ffc91b96908e027d1

SHA512
d3777ac0820ffea52a3acac742f2fac3519f45880bfbfad0b873ebb4739217d976043efc4752e9e66fa19a13b14758f8aa63d2b90168b5ae1e2e8cbc848ec3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3305.exe

Filesize
352KB

MD5
f147cbc11b4cfd0e07411e974977ca38

SHA1
617827f49a591116354287e9807ab15a927de9e1

SHA256
e20c34969615177c44ebf5444044117f18d475b4e7385d6ffc91b96908e027d1

SHA512
d3777ac0820ffea52a3acac742f2fac3519f45880bfbfad0b873ebb4739217d976043efc4752e9e66fa19a13b14758f8aa63d2b90168b5ae1e2e8cbc848ec3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu905991.exe

Filesize
11KB

MD5
4a1d105aeb13dfd1d708aca14eaa6a27

SHA1
5cf7fbb733122a2dc5703aec669d8984e4b39037

SHA256
9401af04463ec437a18cab091e4611ca085448c882f002f01d96c41c9e807512

SHA512
cd48b32b6802fc5d985f25b21ce07a65ff3f4dfe07a618a8c39f249801de3b62c5d5d80b60e50a2ac26031ea877155836fb70d122a2bd4a6d2b08e67fa2592f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu905991.exe

Filesize
11KB

MD5
4a1d105aeb13dfd1d708aca14eaa6a27

SHA1
5cf7fbb733122a2dc5703aec669d8984e4b39037

SHA256
9401af04463ec437a18cab091e4611ca085448c882f002f01d96c41c9e807512

SHA512
cd48b32b6802fc5d985f25b21ce07a65ff3f4dfe07a618a8c39f249801de3b62c5d5d80b60e50a2ac26031ea877155836fb70d122a2bd4a6d2b08e67fa2592f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9535.exe

Filesize
326KB

MD5
87ee68ea98bb7147a415199032bbbb0c

SHA1
5a9438f2d86bc90634673eadf5956f8a2012dca3

SHA256
0a7594fd7a348cbf4cc21306e16d15ae21558aeb50e8f04ed13c118a27a90ab4

SHA512
f07ba80ab80209033c57ae12d26bef773eb20f9e3aa755fd6ec6c009fee23ae23d39bf9feee9d3b4e090ebd9484c3184678e5dcbb72ef8b38071462d3266898d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9535.exe

Filesize
326KB

MD5
87ee68ea98bb7147a415199032bbbb0c

SHA1
5a9438f2d86bc90634673eadf5956f8a2012dca3

SHA256
0a7594fd7a348cbf4cc21306e16d15ae21558aeb50e8f04ed13c118a27a90ab4

SHA512
f07ba80ab80209033c57ae12d26bef773eb20f9e3aa755fd6ec6c009fee23ae23d39bf9feee9d3b4e090ebd9484c3184678e5dcbb72ef8b38071462d3266898d

Download Submit
memory/1288-180-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-201-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/1288-182-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-184-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-186-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-188-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-190-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-192-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-194-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-196-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-198-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-199-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1288-200-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/1288-178-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-203-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1288-167-0x0000000007200000-0x00000000077A4000-memory.dmp

Filesize
5.6MB

Download
memory/1288-176-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-174-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-172-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-171-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1288-170-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/1288-169-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/1288-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/2224-1140-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/2224-1139-0x00000000009C0000-0x00000000009F2000-memory.dmp

Filesize
200KB

Download
memory/2720-161-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/4252-218-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4252-225-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-227-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-229-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-231-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-233-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-235-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-237-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-239-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-241-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-243-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-245-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-1118-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/4252-1119-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4252-1120-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4252-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4252-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4252-1124-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4252-1125-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4252-1126-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4252-1127-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4252-1128-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4252-1129-0x0000000008DC0000-0x0000000008F82000-memory.dmp

Filesize
1.8MB

Download
memory/4252-1130-0x0000000008FA0000-0x00000000094CC000-memory.dmp

Filesize
5.2MB

Download
memory/4252-1131-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4252-1132-0x000000000A780000-0x000000000A7F6000-memory.dmp

Filesize
472KB

Download
memory/4252-223-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-221-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-219-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-217-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4252-215-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4252-213-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/4252-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-209-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/4252-1133-0x0000000004730000-0x0000000004780000-memory.dmp

Filesize
320KB

Download