amadey | 2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32

Analysis

max time kernel
130s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe
Size

1003KB
MD5

ad32fe68b206d2c03cedb3108da487c4
SHA1

0053544e6299bdff5ed2ab5446bcf04443c15b3e
SHA256

2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32
SHA512

2e68ce76af408fc719ff46b8f2026049b2538750f49ccc32f65b95189af618c3587ecb5343d818f9528097e9921f3e6decbdd872371d970dc5ebda14bde14e95
SSDEEP

24576:RydK1MPwK3/Cn/32f4dNacRv4FQGsbRNZmJZuxEagojW4V6q:EAS4ICn/32gnaCObst3mKAIT

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu670653.execor8129.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu670653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu670653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu670653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor8129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor8129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu670653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu670653.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor8129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor8129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor8129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor8129.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu670653.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2776-210-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-212-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-209-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-214-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-216-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-218-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-220-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-222-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-226-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-229-0x0000000005F60000-0x0000000005F70000-memory.dmp	family_redline
behavioral1/memory/2776-230-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-232-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-234-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-236-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-238-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-240-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-242-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-244-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline
behavioral1/memory/2776-246-0x0000000005F10000-0x0000000005F4F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge554768.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ge554768.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kina7076.exekina1069.exekina5740.exebu670653.execor8129.exedWT39s95.exeen632724.exege554768.exemetafor.exemetafor.exe

pid	process
1408	kina7076.exe
1936	kina1069.exe
3380	kina5740.exe
2616	bu670653.exe
3160	cor8129.exe
2776	dWT39s95.exe
2080	en632724.exe
1088	ge554768.exe
2716	metafor.exe
1320	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor8129.exebu670653.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor8129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu670653.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor8129.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina5740.exe2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exekina7076.exekina1069.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina5740.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina7076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina7076.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina1069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina1069.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina5740.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1916 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2972 3160 WerFault.exe cor8129.exe
4588 2776 WerFault.exe dWT39s95.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4264 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu670653.execor8129.exedWT39s95.exeen632724.exe

pid process

2616 bu670653.exe
2616 bu670653.exe
3160 cor8129.exe
3160 cor8129.exe
2776 dWT39s95.exe
2776 dWT39s95.exe
2080 en632724.exe
2080 en632724.exe

pid	process
1916	sc.exe

pid	pid_target	process	target process
2972	3160	WerFault.exe	cor8129.exe
4588	2776	WerFault.exe	dWT39s95.exe

pid	process
4264	schtasks.exe

pid	process
2616	bu670653.exe
2616	bu670653.exe
3160	cor8129.exe
3160	cor8129.exe
2776	dWT39s95.exe
2776	dWT39s95.exe
2080	en632724.exe
2080	en632724.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu670653.execor8129.exedWT39s95.exeen632724.exe

description	pid	process
Token: SeDebugPrivilege	2616	bu670653.exe
Token: SeDebugPrivilege	3160	cor8129.exe
Token: SeDebugPrivilege	2776	dWT39s95.exe
Token: SeDebugPrivilege	2080	en632724.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exekina7076.exekina1069.exekina5740.exege554768.exemetafor.execmd.exe

description	pid	process	target process
PID 4996 wrote to memory of 1408	4996	2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe	kina7076.exe
PID 4996 wrote to memory of 1408	4996	2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe	kina7076.exe
PID 4996 wrote to memory of 1408	4996	2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe	kina7076.exe
PID 1408 wrote to memory of 1936	1408	kina7076.exe	kina1069.exe
PID 1408 wrote to memory of 1936	1408	kina7076.exe	kina1069.exe
PID 1408 wrote to memory of 1936	1408	kina7076.exe	kina1069.exe
PID 1936 wrote to memory of 3380	1936	kina1069.exe	kina5740.exe
PID 1936 wrote to memory of 3380	1936	kina1069.exe	kina5740.exe
PID 1936 wrote to memory of 3380	1936	kina1069.exe	kina5740.exe
PID 3380 wrote to memory of 2616	3380	kina5740.exe	bu670653.exe
PID 3380 wrote to memory of 2616	3380	kina5740.exe	bu670653.exe
PID 3380 wrote to memory of 3160	3380	kina5740.exe	cor8129.exe
PID 3380 wrote to memory of 3160	3380	kina5740.exe	cor8129.exe
PID 3380 wrote to memory of 3160	3380	kina5740.exe	cor8129.exe
PID 1936 wrote to memory of 2776	1936	kina1069.exe	dWT39s95.exe
PID 1936 wrote to memory of 2776	1936	kina1069.exe	dWT39s95.exe
PID 1936 wrote to memory of 2776	1936	kina1069.exe	dWT39s95.exe
PID 1408 wrote to memory of 2080	1408	kina7076.exe	en632724.exe
PID 1408 wrote to memory of 2080	1408	kina7076.exe	en632724.exe
PID 1408 wrote to memory of 2080	1408	kina7076.exe	en632724.exe
PID 4996 wrote to memory of 1088	4996	2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe	ge554768.exe
PID 4996 wrote to memory of 1088	4996	2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe	ge554768.exe
PID 4996 wrote to memory of 1088	4996	2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe	ge554768.exe
PID 1088 wrote to memory of 2716	1088	ge554768.exe	metafor.exe
PID 1088 wrote to memory of 2716	1088	ge554768.exe	metafor.exe
PID 1088 wrote to memory of 2716	1088	ge554768.exe	metafor.exe
PID 2716 wrote to memory of 4264	2716	metafor.exe	schtasks.exe
PID 2716 wrote to memory of 4264	2716	metafor.exe	schtasks.exe
PID 2716 wrote to memory of 4264	2716	metafor.exe	schtasks.exe
PID 2716 wrote to memory of 328	2716	metafor.exe	cmd.exe
PID 2716 wrote to memory of 328	2716	metafor.exe	cmd.exe
PID 2716 wrote to memory of 328	2716	metafor.exe	cmd.exe
PID 328 wrote to memory of 3784	328	cmd.exe	cmd.exe
PID 328 wrote to memory of 3784	328	cmd.exe	cmd.exe
PID 328 wrote to memory of 3784	328	cmd.exe	cmd.exe
PID 328 wrote to memory of 4748	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 4748	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 4748	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 4624	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 4624	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 4624	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 2124	328	cmd.exe	cmd.exe
PID 328 wrote to memory of 2124	328	cmd.exe	cmd.exe
PID 328 wrote to memory of 2124	328	cmd.exe	cmd.exe
PID 328 wrote to memory of 4656	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 4656	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 4656	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 3848	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 3848	328	cmd.exe	cacls.exe
PID 328 wrote to memory of 3848	328	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe
"C:\Users\Admin\AppData\Local\Temp\2eb363f20bd741ddf8b51f5200295eeb5dd346c5e313d3c06ed74c3291389e32.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7076.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7076.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1069.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1069.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5740.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5740.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu670653.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu670653.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8129.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8129.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1080
6⤵
- Program crash
PID:2972

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWT39s95.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWT39s95.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1328
5⤵
- Program crash
PID:4588

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en632724.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en632724.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge554768.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge554768.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3784

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4748

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2124

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4656

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3160 -ip 3160
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2776 -ip 2776
1⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
8e8462f65e70a9838bb8ee5bfd071433

SHA1
f5088312d865c794b4ed90717af520e79c4a7459

SHA256
05e32835bb92ff761154229cecf7287003177b7b0ee509e334baa60497eb3d9a

SHA512
389af4d4903804eb174e20743451334dec4666fd6fee2005d50917f3ab09b88f138de603a3cdfcb074de3f6b4ecc1761410b65c1883f9f850670c96dfefd3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
8e8462f65e70a9838bb8ee5bfd071433

SHA1
f5088312d865c794b4ed90717af520e79c4a7459

SHA256
05e32835bb92ff761154229cecf7287003177b7b0ee509e334baa60497eb3d9a

SHA512
389af4d4903804eb174e20743451334dec4666fd6fee2005d50917f3ab09b88f138de603a3cdfcb074de3f6b4ecc1761410b65c1883f9f850670c96dfefd3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
8e8462f65e70a9838bb8ee5bfd071433

SHA1
f5088312d865c794b4ed90717af520e79c4a7459

SHA256
05e32835bb92ff761154229cecf7287003177b7b0ee509e334baa60497eb3d9a

SHA512
389af4d4903804eb174e20743451334dec4666fd6fee2005d50917f3ab09b88f138de603a3cdfcb074de3f6b4ecc1761410b65c1883f9f850670c96dfefd3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
8e8462f65e70a9838bb8ee5bfd071433

SHA1
f5088312d865c794b4ed90717af520e79c4a7459

SHA256
05e32835bb92ff761154229cecf7287003177b7b0ee509e334baa60497eb3d9a

SHA512
389af4d4903804eb174e20743451334dec4666fd6fee2005d50917f3ab09b88f138de603a3cdfcb074de3f6b4ecc1761410b65c1883f9f850670c96dfefd3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge554768.exe
Filesize
227KB

MD5
8e8462f65e70a9838bb8ee5bfd071433

SHA1
f5088312d865c794b4ed90717af520e79c4a7459

SHA256
05e32835bb92ff761154229cecf7287003177b7b0ee509e334baa60497eb3d9a

SHA512
389af4d4903804eb174e20743451334dec4666fd6fee2005d50917f3ab09b88f138de603a3cdfcb074de3f6b4ecc1761410b65c1883f9f850670c96dfefd3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge554768.exe
Filesize
227KB

MD5
8e8462f65e70a9838bb8ee5bfd071433

SHA1
f5088312d865c794b4ed90717af520e79c4a7459

SHA256
05e32835bb92ff761154229cecf7287003177b7b0ee509e334baa60497eb3d9a

SHA512
389af4d4903804eb174e20743451334dec4666fd6fee2005d50917f3ab09b88f138de603a3cdfcb074de3f6b4ecc1761410b65c1883f9f850670c96dfefd3790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7076.exe
Filesize
822KB

MD5
9516b93a10f64cb9a148d5bdfad74584

SHA1
f89a29d7e9a6e31a4d78dd3020cba32d280f45be

SHA256
9402336997438b18175d220676283e1a9eb4eda7c1b4af5485ee237042f2d1c1

SHA512
034ed20ea2384b9cdf50581c4a3bdb79b7cf86c547d12b06a9e930bbfd8c1913756939f9606f84ca1493aaf82676344740a07aa0f65126c038f3fe4ff7a4d3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7076.exe
Filesize
822KB

MD5
9516b93a10f64cb9a148d5bdfad74584

SHA1
f89a29d7e9a6e31a4d78dd3020cba32d280f45be

SHA256
9402336997438b18175d220676283e1a9eb4eda7c1b4af5485ee237042f2d1c1

SHA512
034ed20ea2384b9cdf50581c4a3bdb79b7cf86c547d12b06a9e930bbfd8c1913756939f9606f84ca1493aaf82676344740a07aa0f65126c038f3fe4ff7a4d3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en632724.exe
Filesize
175KB

MD5
74a34abf6bf43d4b4a946479e9211969

SHA1
e85b8dabe9af7ce4764911a6c6b2693a40831e29

SHA256
15961aa6c366fb0767bdaee90c668115e16b1f7427ac46fa9836d84584f66dbe

SHA512
1a8df837ccc36187ce92188336668a37786a213f0f772ff8be095ffc3f9bea7d8cce27992d9c9d89af68647ecd5446670f9d551260dea389502b89cec5e9d846

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en632724.exe
Filesize
175KB

MD5
74a34abf6bf43d4b4a946479e9211969

SHA1
e85b8dabe9af7ce4764911a6c6b2693a40831e29

SHA256
15961aa6c366fb0767bdaee90c668115e16b1f7427ac46fa9836d84584f66dbe

SHA512
1a8df837ccc36187ce92188336668a37786a213f0f772ff8be095ffc3f9bea7d8cce27992d9c9d89af68647ecd5446670f9d551260dea389502b89cec5e9d846

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1069.exe
Filesize
680KB

MD5
5746b8a7def41972566a298e6576a518

SHA1
f950d7bdd798fa3813a2c4a577aa88a778d3fb44

SHA256
0123c6743776ffef2c2c931adaef4f6a0b0c71aa36295dfe3ac7d8fe6e07e4c0

SHA512
0ec0fa7159e1efb867a6334b606f723c8299991c75b2865f87ade074840ad2a59dd0422b0645b431b35536256e48a666c0b5bebea8a1b512a1cfd779af0a6445

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1069.exe
Filesize
680KB

MD5
5746b8a7def41972566a298e6576a518

SHA1
f950d7bdd798fa3813a2c4a577aa88a778d3fb44

SHA256
0123c6743776ffef2c2c931adaef4f6a0b0c71aa36295dfe3ac7d8fe6e07e4c0

SHA512
0ec0fa7159e1efb867a6334b606f723c8299991c75b2865f87ade074840ad2a59dd0422b0645b431b35536256e48a666c0b5bebea8a1b512a1cfd779af0a6445

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWT39s95.exe
Filesize
345KB

MD5
5fbcb8fa52e1fe3c46009a07245b17d3

SHA1
ad741b88ec94de2839c06e22115c976811a34c88

SHA256
abe42eaa52d7001c256ac5dea32d7205a4cf0862aa871257c04503e6ad5eea77

SHA512
f42b5c7c37528d51bbd944bda798dbb0752478f8a2a960da2bed3a36bf028e393b901dce3eef3e82bc3d337ec3cf80dfea4bd88f2727877dfdc05385fb6dd833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWT39s95.exe
Filesize
345KB

MD5
5fbcb8fa52e1fe3c46009a07245b17d3

SHA1
ad741b88ec94de2839c06e22115c976811a34c88

SHA256
abe42eaa52d7001c256ac5dea32d7205a4cf0862aa871257c04503e6ad5eea77

SHA512
f42b5c7c37528d51bbd944bda798dbb0752478f8a2a960da2bed3a36bf028e393b901dce3eef3e82bc3d337ec3cf80dfea4bd88f2727877dfdc05385fb6dd833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5740.exe
Filesize
344KB

MD5
6e02ae52a3314e556203818b066cdf71

SHA1
27cc260aee3ffa6617e46b8c3292a7c3fe9a8bd4

SHA256
08a5b5461aaafd3f86c1d2943e99e7a16a3bec840857372537321d09de6d6c98

SHA512
5085c8410e55a527cb8f746a20cfec7e682e264b989b25b33e8d7f0ac821de784a9c7a8de43606f89eaf85188397474c911773909c8874a161dc1cc67c5cb7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5740.exe
Filesize
344KB

MD5
6e02ae52a3314e556203818b066cdf71

SHA1
27cc260aee3ffa6617e46b8c3292a7c3fe9a8bd4

SHA256
08a5b5461aaafd3f86c1d2943e99e7a16a3bec840857372537321d09de6d6c98

SHA512
5085c8410e55a527cb8f746a20cfec7e682e264b989b25b33e8d7f0ac821de784a9c7a8de43606f89eaf85188397474c911773909c8874a161dc1cc67c5cb7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu670653.exe
Filesize
11KB

MD5
299231cb5aa7387acba039725b52f6af

SHA1
4d66492072929aa56df495a928f98ce8225e0901

SHA256
300f44a09d74ac717bf5a12e59262a048638dabdf99c86c1c9908bdfa6e4c60b

SHA512
71957e882d6f5459c24435341bd5e0247572419bb2c654d0e8fa08a0dfffa4706fd20089c1930ba6d5bf9b903679db443fb40ffc01a2562636d441fb6a3dff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu670653.exe
Filesize
11KB

MD5
299231cb5aa7387acba039725b52f6af

SHA1
4d66492072929aa56df495a928f98ce8225e0901

SHA256
300f44a09d74ac717bf5a12e59262a048638dabdf99c86c1c9908bdfa6e4c60b

SHA512
71957e882d6f5459c24435341bd5e0247572419bb2c654d0e8fa08a0dfffa4706fd20089c1930ba6d5bf9b903679db443fb40ffc01a2562636d441fb6a3dff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8129.exe
Filesize
291KB

MD5
cc08c74db646678918a1725d718bd2ba

SHA1
d19bad71d47a583f2d6734e95719c90f71028332

SHA256
545722984a5b16c755e72b5346ca36c479fbe96102c1498c29347de962bdf85b

SHA512
bfb0b1368aca5d663c49b0a8660eb736e5a0adf61d1a5750c83a1a43782aec759e48b7fa9612382382a38f938f120eb868e5ec9d3213cfd993f110c34d570356

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8129.exe
Filesize
291KB

MD5
cc08c74db646678918a1725d718bd2ba

SHA1
d19bad71d47a583f2d6734e95719c90f71028332

SHA256
545722984a5b16c755e72b5346ca36c479fbe96102c1498c29347de962bdf85b

SHA512
bfb0b1368aca5d663c49b0a8660eb736e5a0adf61d1a5750c83a1a43782aec759e48b7fa9612382382a38f938f120eb868e5ec9d3213cfd993f110c34d570356

Download Submit
memory/2080-1140-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2080-1139-0x00000000003C0000-0x00000000003F2000-memory.dmp

Filesize
200KB

Download
memory/2616-161-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/2776-1120-0x0000000006E10000-0x0000000006F1A000-memory.dmp

Filesize
1.0MB

Download
memory/2776-234-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-1133-0x0000000005F60000-0x0000000005F70000-memory.dmp

Filesize
64KB

Download
memory/2776-1132-0x0000000008540000-0x0000000008590000-memory.dmp

Filesize
320KB

Download
memory/2776-1131-0x00000000084C0000-0x0000000008536000-memory.dmp

Filesize
472KB

Download
memory/2776-1130-0x0000000005F60000-0x0000000005F70000-memory.dmp

Filesize
64KB

Download
memory/2776-1129-0x0000000005F60000-0x0000000005F70000-memory.dmp

Filesize
64KB

Download
memory/2776-1127-0x0000000007C00000-0x000000000812C000-memory.dmp

Filesize
5.2MB

Download
memory/2776-1126-0x0000000007A20000-0x0000000007BE2000-memory.dmp

Filesize
1.8MB

Download
memory/2776-1125-0x0000000007910000-0x00000000079A2000-memory.dmp

Filesize
584KB

Download
memory/2776-1124-0x0000000007260000-0x00000000072C6000-memory.dmp

Filesize
408KB

Download
memory/2776-1123-0x0000000005F60000-0x0000000005F70000-memory.dmp

Filesize
64KB

Download
memory/2776-1122-0x0000000006F70000-0x0000000006FAC000-memory.dmp

Filesize
240KB

Download
memory/2776-1121-0x0000000006F50000-0x0000000006F62000-memory.dmp

Filesize
72KB

Download
memory/2776-210-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-212-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-209-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-214-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-216-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-218-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-220-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-222-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-223-0x0000000001A80000-0x0000000001ACB000-memory.dmp

Filesize
300KB

Download
memory/2776-226-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-224-0x0000000005F60000-0x0000000005F70000-memory.dmp

Filesize
64KB

Download
memory/2776-229-0x0000000005F60000-0x0000000005F70000-memory.dmp

Filesize
64KB

Download
memory/2776-227-0x0000000005F60000-0x0000000005F70000-memory.dmp

Filesize
64KB

Download
memory/2776-230-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-232-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-1119-0x0000000006770000-0x0000000006D88000-memory.dmp

Filesize
6.1MB

Download
memory/2776-236-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-238-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-240-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-242-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-244-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/2776-246-0x0000000005F10000-0x0000000005F4F000-memory.dmp

Filesize
252KB

Download
memory/3160-191-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-169-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-183-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-185-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-204-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3160-201-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-202-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-200-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3160-199-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-197-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-167-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/3160-181-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-179-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-189-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-187-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-177-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-175-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-173-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-172-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-171-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download
memory/3160-170-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-193-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/3160-168-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3160-195-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download