amadey | 87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd

Analysis

max time kernel
127s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe
Size

1.0MB
MD5

03f522f7bca8a49694d8d5fb00211e83
SHA1

102b637685fca8b362026c66ea4f9188b57ff915
SHA256

87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd
SHA512

6d0c1908a210253c6b1384160c5538a45e1657eecd62032c0a7ceaa455dc4797040df8fb712a0eafc3f7b0002b0539efd484c17458cb7f831891dad0d420516b
SSDEEP

24576:dyL0iy2bOVtHZmDroYsq+f48RpmBJ1xfkmYLm6yzA1:4LRy2CVtHgcYb+f48RCz6Lp

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor9211.exebu271115.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor9211.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor9211.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu271115.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu271115.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu271115.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu271115.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu271115.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu271115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor9211.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor9211.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor9211.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor9211.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2100-210-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-211-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-215-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-213-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-217-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-221-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-225-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-227-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-231-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-229-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-233-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-235-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-237-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-239-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-241-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-243-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-245-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-247-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2100-1128-0x00000000071D0000-0x00000000071E0000-memory.dmp	family_redline
behavioral1/memory/2100-1129-0x00000000071D0000-0x00000000071E0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege304966.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge304966.exe

Executes dropped EXE 11 IoCs

Processes:

kina6903.exekina4808.exekina4869.exebu271115.execor9211.exedxS56s20.exeen945876.exege304966.exemetafor.exemetafor.exemetafor.exe

pid	process
1136	kina6903.exe
1188	kina4808.exe
4636	kina4869.exe
1132	bu271115.exe
3740	cor9211.exe
2100	dxS56s20.exe
452	en945876.exe
3784	ge304966.exe
5032	metafor.exe
5020	metafor.exe
904	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor9211.exebu271115.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor9211.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor9211.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu271115.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina6903.exekina4808.exekina4869.exe87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina6903.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina4808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina4808.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina4869.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina4869.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina6903.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4584 3740 WerFault.exe cor9211.exe
3408 2100 WerFault.exe dxS56s20.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4304 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu271115.execor9211.exedxS56s20.exeen945876.exe

pid process

1132 bu271115.exe
1132 bu271115.exe
3740 cor9211.exe
3740 cor9211.exe
2100 dxS56s20.exe
2100 dxS56s20.exe
452 en945876.exe
452 en945876.exe

pid	pid_target	process	target process
4584	3740	WerFault.exe	cor9211.exe
3408	2100	WerFault.exe	dxS56s20.exe

pid	process
4304	schtasks.exe

pid	process
1132	bu271115.exe
1132	bu271115.exe
3740	cor9211.exe
3740	cor9211.exe
2100	dxS56s20.exe
2100	dxS56s20.exe
452	en945876.exe
452	en945876.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu271115.execor9211.exedxS56s20.exeen945876.exe

description	pid	process
Token: SeDebugPrivilege	1132	bu271115.exe
Token: SeDebugPrivilege	3740	cor9211.exe
Token: SeDebugPrivilege	2100	dxS56s20.exe
Token: SeDebugPrivilege	452	en945876.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exekina6903.exekina4808.exekina4869.exege304966.exemetafor.execmd.exe

description	pid	process	target process
PID 4296 wrote to memory of 1136	4296	87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe	kina6903.exe
PID 4296 wrote to memory of 1136	4296	87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe	kina6903.exe
PID 4296 wrote to memory of 1136	4296	87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe	kina6903.exe
PID 1136 wrote to memory of 1188	1136	kina6903.exe	kina4808.exe
PID 1136 wrote to memory of 1188	1136	kina6903.exe	kina4808.exe
PID 1136 wrote to memory of 1188	1136	kina6903.exe	kina4808.exe
PID 1188 wrote to memory of 4636	1188	kina4808.exe	kina4869.exe
PID 1188 wrote to memory of 4636	1188	kina4808.exe	kina4869.exe
PID 1188 wrote to memory of 4636	1188	kina4808.exe	kina4869.exe
PID 4636 wrote to memory of 1132	4636	kina4869.exe	bu271115.exe
PID 4636 wrote to memory of 1132	4636	kina4869.exe	bu271115.exe
PID 4636 wrote to memory of 3740	4636	kina4869.exe	cor9211.exe
PID 4636 wrote to memory of 3740	4636	kina4869.exe	cor9211.exe
PID 4636 wrote to memory of 3740	4636	kina4869.exe	cor9211.exe
PID 1188 wrote to memory of 2100	1188	kina4808.exe	dxS56s20.exe
PID 1188 wrote to memory of 2100	1188	kina4808.exe	dxS56s20.exe
PID 1188 wrote to memory of 2100	1188	kina4808.exe	dxS56s20.exe
PID 1136 wrote to memory of 452	1136	kina6903.exe	en945876.exe
PID 1136 wrote to memory of 452	1136	kina6903.exe	en945876.exe
PID 1136 wrote to memory of 452	1136	kina6903.exe	en945876.exe
PID 4296 wrote to memory of 3784	4296	87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe	ge304966.exe
PID 4296 wrote to memory of 3784	4296	87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe	ge304966.exe
PID 4296 wrote to memory of 3784	4296	87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe	ge304966.exe
PID 3784 wrote to memory of 5032	3784	ge304966.exe	metafor.exe
PID 3784 wrote to memory of 5032	3784	ge304966.exe	metafor.exe
PID 3784 wrote to memory of 5032	3784	ge304966.exe	metafor.exe
PID 5032 wrote to memory of 4304	5032	metafor.exe	schtasks.exe
PID 5032 wrote to memory of 4304	5032	metafor.exe	schtasks.exe
PID 5032 wrote to memory of 4304	5032	metafor.exe	schtasks.exe
PID 5032 wrote to memory of 1644	5032	metafor.exe	cmd.exe
PID 5032 wrote to memory of 1644	5032	metafor.exe	cmd.exe
PID 5032 wrote to memory of 1644	5032	metafor.exe	cmd.exe
PID 1644 wrote to memory of 3708	1644	cmd.exe	cmd.exe
PID 1644 wrote to memory of 3708	1644	cmd.exe	cmd.exe
PID 1644 wrote to memory of 3708	1644	cmd.exe	cmd.exe
PID 1644 wrote to memory of 2508	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 2508	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 2508	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 2156	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 2156	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 2156	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 4668	1644	cmd.exe	cmd.exe
PID 1644 wrote to memory of 4668	1644	cmd.exe	cmd.exe
PID 1644 wrote to memory of 4668	1644	cmd.exe	cmd.exe
PID 1644 wrote to memory of 4300	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 4300	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 4300	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 1872	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 1872	1644	cmd.exe	cacls.exe
PID 1644 wrote to memory of 1872	1644	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe
"C:\Users\Admin\AppData\Local\Temp\87b06697b20ce2fd7f647c5897d67b8306fb9a8566bc67eda3cc7422cea96bfd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6903.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6903.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina4808.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina4808.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4869.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4869.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu271115.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu271115.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9211.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9211.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1076
6⤵
- Program crash
PID:4584

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxS56s20.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxS56s20.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1336
5⤵
- Program crash
PID:3408

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en945876.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en945876.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge304966.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge304966.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3708

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:2508

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4668

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4300

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3740 -ip 3740
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2100 -ip 2100
1⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
58116ffb54482b4c4975a0c46e9ec971

SHA1
b4647f0decfe89110630d930b61c8f5e36dc6856

SHA256
db11d987105b017b201c5213e8cf3fb0c06373546d01ae43a9e325f81f2726e6

SHA512
bf5bd70e9d40b6db33327579383175f160b112a406f2af741f1dee9467a35a465660d8a6338fd031c410acc084288767fd023c2080a46e03ecff9d23632f4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
58116ffb54482b4c4975a0c46e9ec971

SHA1
b4647f0decfe89110630d930b61c8f5e36dc6856

SHA256
db11d987105b017b201c5213e8cf3fb0c06373546d01ae43a9e325f81f2726e6

SHA512
bf5bd70e9d40b6db33327579383175f160b112a406f2af741f1dee9467a35a465660d8a6338fd031c410acc084288767fd023c2080a46e03ecff9d23632f4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
58116ffb54482b4c4975a0c46e9ec971

SHA1
b4647f0decfe89110630d930b61c8f5e36dc6856

SHA256
db11d987105b017b201c5213e8cf3fb0c06373546d01ae43a9e325f81f2726e6

SHA512
bf5bd70e9d40b6db33327579383175f160b112a406f2af741f1dee9467a35a465660d8a6338fd031c410acc084288767fd023c2080a46e03ecff9d23632f4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
58116ffb54482b4c4975a0c46e9ec971

SHA1
b4647f0decfe89110630d930b61c8f5e36dc6856

SHA256
db11d987105b017b201c5213e8cf3fb0c06373546d01ae43a9e325f81f2726e6

SHA512
bf5bd70e9d40b6db33327579383175f160b112a406f2af741f1dee9467a35a465660d8a6338fd031c410acc084288767fd023c2080a46e03ecff9d23632f4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
58116ffb54482b4c4975a0c46e9ec971

SHA1
b4647f0decfe89110630d930b61c8f5e36dc6856

SHA256
db11d987105b017b201c5213e8cf3fb0c06373546d01ae43a9e325f81f2726e6

SHA512
bf5bd70e9d40b6db33327579383175f160b112a406f2af741f1dee9467a35a465660d8a6338fd031c410acc084288767fd023c2080a46e03ecff9d23632f4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge304966.exe
Filesize
227KB

MD5
58116ffb54482b4c4975a0c46e9ec971

SHA1
b4647f0decfe89110630d930b61c8f5e36dc6856

SHA256
db11d987105b017b201c5213e8cf3fb0c06373546d01ae43a9e325f81f2726e6

SHA512
bf5bd70e9d40b6db33327579383175f160b112a406f2af741f1dee9467a35a465660d8a6338fd031c410acc084288767fd023c2080a46e03ecff9d23632f4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge304966.exe
Filesize
227KB

MD5
58116ffb54482b4c4975a0c46e9ec971

SHA1
b4647f0decfe89110630d930b61c8f5e36dc6856

SHA256
db11d987105b017b201c5213e8cf3fb0c06373546d01ae43a9e325f81f2726e6

SHA512
bf5bd70e9d40b6db33327579383175f160b112a406f2af741f1dee9467a35a465660d8a6338fd031c410acc084288767fd023c2080a46e03ecff9d23632f4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6903.exe
Filesize
847KB

MD5
d5d08e9bd6b751797451007fe846b62e

SHA1
fd97e5afaf79aa065b4e11db6bd885de3e815525

SHA256
c98005e0e7cb3ec866fe30c7a93af27cc61d35f789c8677ed439521a3a2836f1

SHA512
a348c8b9791f513c2e75c623e027d0a41a22bb64b4b90d7488b5c1c9464907e50b3932f7436ba307a43fed006817af8226180a5806137b24c409dceb8bce515b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6903.exe
Filesize
847KB

MD5
d5d08e9bd6b751797451007fe846b62e

SHA1
fd97e5afaf79aa065b4e11db6bd885de3e815525

SHA256
c98005e0e7cb3ec866fe30c7a93af27cc61d35f789c8677ed439521a3a2836f1

SHA512
a348c8b9791f513c2e75c623e027d0a41a22bb64b4b90d7488b5c1c9464907e50b3932f7436ba307a43fed006817af8226180a5806137b24c409dceb8bce515b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en945876.exe
Filesize
175KB

MD5
74d2717de60e942dd0111070e768eac4

SHA1
713049d475b1bf1a819e55adb21cc0d2b7a6b2ea

SHA256
9d251bb4f351160e6edb78ef532ac4d95275d8ff38f48cc0a61252c71584504c

SHA512
1d3698e157389dea604514d497621d97500e6e02b5a0648699c305d6061c00b1152543d00fdaad0377b66ea846169f0bb2b1692157d44f22464868837af4e762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en945876.exe
Filesize
175KB

MD5
74d2717de60e942dd0111070e768eac4

SHA1
713049d475b1bf1a819e55adb21cc0d2b7a6b2ea

SHA256
9d251bb4f351160e6edb78ef532ac4d95275d8ff38f48cc0a61252c71584504c

SHA512
1d3698e157389dea604514d497621d97500e6e02b5a0648699c305d6061c00b1152543d00fdaad0377b66ea846169f0bb2b1692157d44f22464868837af4e762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina4808.exe
Filesize
705KB

MD5
656afd8d43e51bd7f5c365e524b0ad95

SHA1
95b2e4b0bd7712580ade1e1f1ac3598e416d1cdf

SHA256
36b290ce5086d648d2d749acb2676baaee4f6a36a5655a1edef4a57cfc6a1532

SHA512
d3c26ea4e26fb61884040115b3b863d5293e6d355b7ff4c7257c61992d688c0ae7d487cca2b01a8d3cc93a20fd9de9c38f7c23a3c64beb43cd50ffc1a2f49a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina4808.exe
Filesize
705KB

MD5
656afd8d43e51bd7f5c365e524b0ad95

SHA1
95b2e4b0bd7712580ade1e1f1ac3598e416d1cdf

SHA256
36b290ce5086d648d2d749acb2676baaee4f6a36a5655a1edef4a57cfc6a1532

SHA512
d3c26ea4e26fb61884040115b3b863d5293e6d355b7ff4c7257c61992d688c0ae7d487cca2b01a8d3cc93a20fd9de9c38f7c23a3c64beb43cd50ffc1a2f49a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxS56s20.exe
Filesize
380KB

MD5
5a2a94d3d06bf4c13a53990209b2c3be

SHA1
31e317911f8ffa689797ef9f41d722774f90afa6

SHA256
d9b1453d6012e0906ee8e5a6b479c7965ca79d9ddcbf654fe136e774da75afa3

SHA512
cfe68818f34b285470e1fa1eb26ca2efdeeb1ff794ad11d4219cc46c4b193e0a8334a98a8b71e0f2ffc7e95d6a2e9f695ce0dec8d1b7d388610166a032519ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxS56s20.exe
Filesize
380KB

MD5
5a2a94d3d06bf4c13a53990209b2c3be

SHA1
31e317911f8ffa689797ef9f41d722774f90afa6

SHA256
d9b1453d6012e0906ee8e5a6b479c7965ca79d9ddcbf654fe136e774da75afa3

SHA512
cfe68818f34b285470e1fa1eb26ca2efdeeb1ff794ad11d4219cc46c4b193e0a8334a98a8b71e0f2ffc7e95d6a2e9f695ce0dec8d1b7d388610166a032519ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4869.exe
Filesize
349KB

MD5
319cea0dd96211b62b0174f2a246b397

SHA1
40b80a6bd2ca63d7b42a00f3b5106af4205b48cc

SHA256
0ac2138637210e15675f8836139932cd07716a16ddd091f3911a4f9a6ca19b93

SHA512
93b9d34c4ae47db4a1dfe5efd1bab3620b883ecea84ed2418bc4012b9f66bf37cf065a81e43679f575ba245234731061c80b0f5b8ac27001ca461b1657faf17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4869.exe
Filesize
349KB

MD5
319cea0dd96211b62b0174f2a246b397

SHA1
40b80a6bd2ca63d7b42a00f3b5106af4205b48cc

SHA256
0ac2138637210e15675f8836139932cd07716a16ddd091f3911a4f9a6ca19b93

SHA512
93b9d34c4ae47db4a1dfe5efd1bab3620b883ecea84ed2418bc4012b9f66bf37cf065a81e43679f575ba245234731061c80b0f5b8ac27001ca461b1657faf17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu271115.exe
Filesize
11KB

MD5
f0ffdb8653d6cd339552f9cba51d877b

SHA1
3051496ef460abbb58f80aa5d300e5ebc9555486

SHA256
272a3052425e4d9fb6aaa59bde6d6e463312dbac3dd436cae197ca6abdaf50bd

SHA512
5fb9acd2feda43d61583b8c5638078da9c275e0fe72ce4486f27bfb1628c8ceb6e3d7bbeafb2e84025216ddb07d32c6183f72546d3726b169f2bec4a0ca6b9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu271115.exe
Filesize
11KB

MD5
f0ffdb8653d6cd339552f9cba51d877b

SHA1
3051496ef460abbb58f80aa5d300e5ebc9555486

SHA256
272a3052425e4d9fb6aaa59bde6d6e463312dbac3dd436cae197ca6abdaf50bd

SHA512
5fb9acd2feda43d61583b8c5638078da9c275e0fe72ce4486f27bfb1628c8ceb6e3d7bbeafb2e84025216ddb07d32c6183f72546d3726b169f2bec4a0ca6b9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9211.exe
Filesize
321KB

MD5
354933e3f1744628eeb9ab24c7a116ac

SHA1
de25b845434f95a1ad974b29e2ede91428b38824

SHA256
47f58e1a4878610137e1fa2082a5d073a5968f9b08abb2c084315c4cd032ca3b

SHA512
1dfb29e43f5b08a3658bc077b463ea6590f590531fe1efdb05d1a6032a8efba32c01433152f522065a520a603dd023e0b77ab8956a85a2df9b4771c554d621ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9211.exe
Filesize
321KB

MD5
354933e3f1744628eeb9ab24c7a116ac

SHA1
de25b845434f95a1ad974b29e2ede91428b38824

SHA256
47f58e1a4878610137e1fa2082a5d073a5968f9b08abb2c084315c4cd032ca3b

SHA512
1dfb29e43f5b08a3658bc077b463ea6590f590531fe1efdb05d1a6032a8efba32c01433152f522065a520a603dd023e0b77ab8956a85a2df9b4771c554d621ae

Download Submit
memory/452-1142-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/452-1141-0x00000000003E0000-0x0000000000412000-memory.dmp

Filesize
200KB

Download
memory/1132-161-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/2100-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/2100-239-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-1135-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2100-1134-0x00000000096A0000-0x00000000096F0000-memory.dmp

Filesize
320KB

Download
memory/2100-1133-0x0000000009600000-0x0000000009676000-memory.dmp

Filesize
472KB

Download
memory/2100-1132-0x0000000008E70000-0x000000000939C000-memory.dmp

Filesize
5.2MB

Download
memory/2100-1131-0x0000000008CA0000-0x0000000008E62000-memory.dmp

Filesize
1.8MB

Download
memory/2100-1130-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2100-1129-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2100-1128-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2100-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/2100-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/2100-1124-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2100-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2100-210-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-211-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-215-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-213-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-217-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-219-0x0000000002DB0000-0x0000000002DFB000-memory.dmp

Filesize
300KB

Download
memory/2100-221-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-223-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2100-225-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-224-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2100-220-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2100-227-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-231-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-229-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-233-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-235-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-237-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/2100-241-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-243-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-245-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-247-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2100-1120-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/3740-193-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3740-189-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-187-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-191-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-203-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3740-202-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3740-181-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3740-199-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-197-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-195-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-183-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-185-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-201-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3740-179-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-177-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-175-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-173-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-172-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/3740-171-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3740-170-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3740-169-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/3740-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/3740-167-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download