amadey | 6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce

Analysis

max time kernel
124s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe
Size

1.0MB
MD5

3e95f87895f39e0a06c2871c980cf86c
SHA1

64e3a7b7e6cead9ff53d02437628d0f34407a5db
SHA256

6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce
SHA512

5b072dc26840ce61cd0a4a502f32d8ab343ff8a7feff09f5bc23f3a16c24ff37eecfcccbc205ca3fc784ff78a46938d6183af93597a87231561725589108d811
SSDEEP

12288:1MrUy90dx9U/7q9xRjkE76WiUlHhIC02jbKSeUWQ8XJCVdiSZKmYL3zulb39adqp:dyimqXoEOZg+nUbzy8i7mYLC539CwJL

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu283748.execor5877.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu283748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu283748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor5877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor5877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor5877.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu283748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu283748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu283748.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu283748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor5877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor5877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor5877.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2292-210-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-213-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-215-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-211-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-219-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-220-0x00000000071D0000-0x00000000071E0000-memory.dmp	family_redline
behavioral1/memory/2292-223-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-225-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-227-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-229-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-231-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-233-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-235-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-239-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-237-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-241-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-243-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-245-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2292-247-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege990229.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge990229.exe

Executes dropped EXE 11 IoCs

Processes:

kina2060.exekina5455.exekina2715.exebu283748.execor5877.exedoh56s37.exeen054331.exege990229.exemetafor.exemetafor.exemetafor.exe

pid	process
448	kina2060.exe
4776	kina5455.exe
4236	kina2715.exe
4908	bu283748.exe
4296	cor5877.exe
2292	doh56s37.exe
5012	en054331.exe
3608	ge990229.exe
3896	metafor.exe
3760	metafor.exe
4908	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu283748.execor5877.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu283748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor5877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor5877.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina2715.exe6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exekina2060.exekina5455.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina2715.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina2060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina2060.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina5455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina5455.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina2715.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3192 4296 WerFault.exe cor5877.exe
2200 2292 WerFault.exe doh56s37.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5116 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu283748.execor5877.exedoh56s37.exeen054331.exe

pid process

4908 bu283748.exe
4908 bu283748.exe
4296 cor5877.exe
4296 cor5877.exe
2292 doh56s37.exe
2292 doh56s37.exe
5012 en054331.exe
5012 en054331.exe

pid	pid_target	process	target process
3192	4296	WerFault.exe	cor5877.exe
2200	2292	WerFault.exe	doh56s37.exe

pid	process
5116	schtasks.exe

pid	process
4908	bu283748.exe
4908	bu283748.exe
4296	cor5877.exe
4296	cor5877.exe
2292	doh56s37.exe
2292	doh56s37.exe
5012	en054331.exe
5012	en054331.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu283748.execor5877.exedoh56s37.exeen054331.exe

description	pid	process
Token: SeDebugPrivilege	4908	bu283748.exe
Token: SeDebugPrivilege	4296	cor5877.exe
Token: SeDebugPrivilege	2292	doh56s37.exe
Token: SeDebugPrivilege	5012	en054331.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exekina2060.exekina5455.exekina2715.exege990229.exemetafor.execmd.exe

description	pid	process	target process
PID 2428 wrote to memory of 448	2428	6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe	kina2060.exe
PID 2428 wrote to memory of 448	2428	6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe	kina2060.exe
PID 2428 wrote to memory of 448	2428	6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe	kina2060.exe
PID 448 wrote to memory of 4776	448	kina2060.exe	kina5455.exe
PID 448 wrote to memory of 4776	448	kina2060.exe	kina5455.exe
PID 448 wrote to memory of 4776	448	kina2060.exe	kina5455.exe
PID 4776 wrote to memory of 4236	4776	kina5455.exe	kina2715.exe
PID 4776 wrote to memory of 4236	4776	kina5455.exe	kina2715.exe
PID 4776 wrote to memory of 4236	4776	kina5455.exe	kina2715.exe
PID 4236 wrote to memory of 4908	4236	kina2715.exe	bu283748.exe
PID 4236 wrote to memory of 4908	4236	kina2715.exe	bu283748.exe
PID 4236 wrote to memory of 4296	4236	kina2715.exe	cor5877.exe
PID 4236 wrote to memory of 4296	4236	kina2715.exe	cor5877.exe
PID 4236 wrote to memory of 4296	4236	kina2715.exe	cor5877.exe
PID 4776 wrote to memory of 2292	4776	kina5455.exe	doh56s37.exe
PID 4776 wrote to memory of 2292	4776	kina5455.exe	doh56s37.exe
PID 4776 wrote to memory of 2292	4776	kina5455.exe	doh56s37.exe
PID 448 wrote to memory of 5012	448	kina2060.exe	en054331.exe
PID 448 wrote to memory of 5012	448	kina2060.exe	en054331.exe
PID 448 wrote to memory of 5012	448	kina2060.exe	en054331.exe
PID 2428 wrote to memory of 3608	2428	6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe	ge990229.exe
PID 2428 wrote to memory of 3608	2428	6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe	ge990229.exe
PID 2428 wrote to memory of 3608	2428	6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe	ge990229.exe
PID 3608 wrote to memory of 3896	3608	ge990229.exe	metafor.exe
PID 3608 wrote to memory of 3896	3608	ge990229.exe	metafor.exe
PID 3608 wrote to memory of 3896	3608	ge990229.exe	metafor.exe
PID 3896 wrote to memory of 5116	3896	metafor.exe	schtasks.exe
PID 3896 wrote to memory of 5116	3896	metafor.exe	schtasks.exe
PID 3896 wrote to memory of 5116	3896	metafor.exe	schtasks.exe
PID 3896 wrote to memory of 1940	3896	metafor.exe	cmd.exe
PID 3896 wrote to memory of 1940	3896	metafor.exe	cmd.exe
PID 3896 wrote to memory of 1940	3896	metafor.exe	cmd.exe
PID 1940 wrote to memory of 3032	1940	cmd.exe	cmd.exe
PID 1940 wrote to memory of 3032	1940	cmd.exe	cmd.exe
PID 1940 wrote to memory of 3032	1940	cmd.exe	cmd.exe
PID 1940 wrote to memory of 3036	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 3036	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 3036	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 5040	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 5040	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 5040	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 4960	1940	cmd.exe	cmd.exe
PID 1940 wrote to memory of 4960	1940	cmd.exe	cmd.exe
PID 1940 wrote to memory of 4960	1940	cmd.exe	cmd.exe
PID 1940 wrote to memory of 4800	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 4800	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 4800	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 4844	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 4844	1940	cmd.exe	cacls.exe
PID 1940 wrote to memory of 4844	1940	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe
"C:\Users\Admin\AppData\Local\Temp\6b01d7044beb84b4265062fcb2102dbb588408e43c78daf736c8b4041ddba3ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina2060.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina2060.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5455.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5455.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2715.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2715.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu283748.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu283748.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5877.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5877.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1080
        6⤵
        Program crash
        
        PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\doh56s37.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\doh56s37.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1352
        5⤵
        Program crash
        
        PID:2200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en054331.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en054331.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge990229.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge990229.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4960
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:4800
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4296 -ip 4296
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2292 -ip 2292
1⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
008b9608dc5a002ff1d83ff835690825

SHA1
7c2dcdf56d473256427b0aab411abb866c37b1c3

SHA256
66fd8771b69844db85003392856187cc10a5b2d0ff171535933e9067300f14b0

SHA512
cecfc65616f41eb66ffe2f2f1542252436c7d8c13fa6d2a2086b2545ee5259930d6625a7f93981e86b4fd1c5ee3a98582111a9ecf7cb753d5784a8069dc85d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
008b9608dc5a002ff1d83ff835690825

SHA1
7c2dcdf56d473256427b0aab411abb866c37b1c3

SHA256
66fd8771b69844db85003392856187cc10a5b2d0ff171535933e9067300f14b0

SHA512
cecfc65616f41eb66ffe2f2f1542252436c7d8c13fa6d2a2086b2545ee5259930d6625a7f93981e86b4fd1c5ee3a98582111a9ecf7cb753d5784a8069dc85d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
008b9608dc5a002ff1d83ff835690825

SHA1
7c2dcdf56d473256427b0aab411abb866c37b1c3

SHA256
66fd8771b69844db85003392856187cc10a5b2d0ff171535933e9067300f14b0

SHA512
cecfc65616f41eb66ffe2f2f1542252436c7d8c13fa6d2a2086b2545ee5259930d6625a7f93981e86b4fd1c5ee3a98582111a9ecf7cb753d5784a8069dc85d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
008b9608dc5a002ff1d83ff835690825

SHA1
7c2dcdf56d473256427b0aab411abb866c37b1c3

SHA256
66fd8771b69844db85003392856187cc10a5b2d0ff171535933e9067300f14b0

SHA512
cecfc65616f41eb66ffe2f2f1542252436c7d8c13fa6d2a2086b2545ee5259930d6625a7f93981e86b4fd1c5ee3a98582111a9ecf7cb753d5784a8069dc85d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
008b9608dc5a002ff1d83ff835690825

SHA1
7c2dcdf56d473256427b0aab411abb866c37b1c3

SHA256
66fd8771b69844db85003392856187cc10a5b2d0ff171535933e9067300f14b0

SHA512
cecfc65616f41eb66ffe2f2f1542252436c7d8c13fa6d2a2086b2545ee5259930d6625a7f93981e86b4fd1c5ee3a98582111a9ecf7cb753d5784a8069dc85d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge990229.exe

Filesize
227KB

MD5
008b9608dc5a002ff1d83ff835690825

SHA1
7c2dcdf56d473256427b0aab411abb866c37b1c3

SHA256
66fd8771b69844db85003392856187cc10a5b2d0ff171535933e9067300f14b0

SHA512
cecfc65616f41eb66ffe2f2f1542252436c7d8c13fa6d2a2086b2545ee5259930d6625a7f93981e86b4fd1c5ee3a98582111a9ecf7cb753d5784a8069dc85d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge990229.exe

Filesize
227KB

MD5
008b9608dc5a002ff1d83ff835690825

SHA1
7c2dcdf56d473256427b0aab411abb866c37b1c3

SHA256
66fd8771b69844db85003392856187cc10a5b2d0ff171535933e9067300f14b0

SHA512
cecfc65616f41eb66ffe2f2f1542252436c7d8c13fa6d2a2086b2545ee5259930d6625a7f93981e86b4fd1c5ee3a98582111a9ecf7cb753d5784a8069dc85d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina2060.exe

Filesize
847KB

MD5
aaa1e759d6c2332d979692f311537fb4

SHA1
552b42f8c7b9e1c2425072a1b2cf9a9445a75196

SHA256
048719be47e7679e72a8e29d65bcdeba519abc94381005eed8ed2560130f79d6

SHA512
78e0422920f72e095f9a76484d712cb376bced64359b3717bc69cf51da3465ec874dc0ad2e84ad8a306bcbb36e23ac6a22929055602317f0073663496f41625b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina2060.exe

Filesize
847KB

MD5
aaa1e759d6c2332d979692f311537fb4

SHA1
552b42f8c7b9e1c2425072a1b2cf9a9445a75196

SHA256
048719be47e7679e72a8e29d65bcdeba519abc94381005eed8ed2560130f79d6

SHA512
78e0422920f72e095f9a76484d712cb376bced64359b3717bc69cf51da3465ec874dc0ad2e84ad8a306bcbb36e23ac6a22929055602317f0073663496f41625b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en054331.exe

Filesize
175KB

MD5
d500c9fcbdc687d7a3deae790fc2106f

SHA1
10b06792d22ddb7f5387da34af222ea9b69d8dfe

SHA256
be29bfb795faeb60c5bb9d660aa7c73732decfb983e2b06c7e55f211d2eab0ec

SHA512
4580badd7cb7fa91eb48994e170e8c68cfc1571a7cc5da91f546d52d561cfee2cf7bc7e8952a6dc5715804c1220811af39bb0a1eed987ed638aeeee88baba708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en054331.exe

Filesize
175KB

MD5
d500c9fcbdc687d7a3deae790fc2106f

SHA1
10b06792d22ddb7f5387da34af222ea9b69d8dfe

SHA256
be29bfb795faeb60c5bb9d660aa7c73732decfb983e2b06c7e55f211d2eab0ec

SHA512
4580badd7cb7fa91eb48994e170e8c68cfc1571a7cc5da91f546d52d561cfee2cf7bc7e8952a6dc5715804c1220811af39bb0a1eed987ed638aeeee88baba708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5455.exe

Filesize
705KB

MD5
30b72208bb7cef4be551beda5e58bf36

SHA1
3b2bf5e1c36d0539abfc163545950d39b19cad09

SHA256
baef8723fbaccbc5f03097fce9f734909d3ac7fd85225649834a1fba4a401763

SHA512
c968368b08ee3993493e26a99610cda016e635fd55f8e794b0603bed508c783bf24cf8864a3eb72737f85ed7bb000573a1d6e457077cf805f07ec77a320218f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5455.exe

Filesize
705KB

MD5
30b72208bb7cef4be551beda5e58bf36

SHA1
3b2bf5e1c36d0539abfc163545950d39b19cad09

SHA256
baef8723fbaccbc5f03097fce9f734909d3ac7fd85225649834a1fba4a401763

SHA512
c968368b08ee3993493e26a99610cda016e635fd55f8e794b0603bed508c783bf24cf8864a3eb72737f85ed7bb000573a1d6e457077cf805f07ec77a320218f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\doh56s37.exe

Filesize
380KB

MD5
a3162ee8f2847db9418b197372f858a8

SHA1
8c61baadb6915c5444e23c65e4b937165ea58e9c

SHA256
a2b020c57ca27be765b897e0cf520db0c9c3dfac0029ebcb0dba276a385be8a8

SHA512
907ae9cecf5be9e3cac2002044b29eb397dd536fdda5114815444d856da0813a0db8c0ca699cad1963920450a326e98a6e18543ec72d055249a7c4af635d52a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\doh56s37.exe

Filesize
380KB

MD5
a3162ee8f2847db9418b197372f858a8

SHA1
8c61baadb6915c5444e23c65e4b937165ea58e9c

SHA256
a2b020c57ca27be765b897e0cf520db0c9c3dfac0029ebcb0dba276a385be8a8

SHA512
907ae9cecf5be9e3cac2002044b29eb397dd536fdda5114815444d856da0813a0db8c0ca699cad1963920450a326e98a6e18543ec72d055249a7c4af635d52a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2715.exe

Filesize
349KB

MD5
da9cd248bda2b34c94499219cd7170f9

SHA1
81c2cbc8f5a8087b91e1f93dd00c0b5775c9e327

SHA256
e0def41b86d2770b13ccc00ef45aef93a91fc6eb62aef2a5be0b69d3685b8e28

SHA512
76e56ec7e63ccdf57a6cc9d0f6be7474b0b7411ebf0bf1112641ab53208978fa4248c1e09297a514a6b1b41045b116a3859c8da509f59835628d523a646799b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2715.exe

Filesize
349KB

MD5
da9cd248bda2b34c94499219cd7170f9

SHA1
81c2cbc8f5a8087b91e1f93dd00c0b5775c9e327

SHA256
e0def41b86d2770b13ccc00ef45aef93a91fc6eb62aef2a5be0b69d3685b8e28

SHA512
76e56ec7e63ccdf57a6cc9d0f6be7474b0b7411ebf0bf1112641ab53208978fa4248c1e09297a514a6b1b41045b116a3859c8da509f59835628d523a646799b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu283748.exe

Filesize
11KB

MD5
7718786682a8337d7648a66452f38451

SHA1
8c920f18fcba96bf298b6b4fedc106d41bffc15d

SHA256
bfaddfa17ef956d9ff60aa9a7e934ceb72aaa5d3fa44f25301dc311cb84f7062

SHA512
3b5ebf59a31776f85d2c69d054e67e39643b0953501149559892a09281470458ffbb1791a954b846289490b940e766a573804711fece9c66e1fd496ba1e59106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu283748.exe

Filesize
11KB

MD5
7718786682a8337d7648a66452f38451

SHA1
8c920f18fcba96bf298b6b4fedc106d41bffc15d

SHA256
bfaddfa17ef956d9ff60aa9a7e934ceb72aaa5d3fa44f25301dc311cb84f7062

SHA512
3b5ebf59a31776f85d2c69d054e67e39643b0953501149559892a09281470458ffbb1791a954b846289490b940e766a573804711fece9c66e1fd496ba1e59106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5877.exe

Filesize
321KB

MD5
6e95436e639aa281fcb7c0a93c39a859

SHA1
e415d3e425297cab1e11352ab5ac487461b37404

SHA256
7e0e70b41e76af5e6d4395505c6d52288936c603748a4ba3908cca28af282564

SHA512
ed51863d7c93d4da57be4c82fea31d7d30b8d141879d61b98ba7a735e33e9872014331e9788ff1ae2fb84ff5a5bbdc841332c2d15dd41fc948e0ceb136796068

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5877.exe

Filesize
321KB

MD5
6e95436e639aa281fcb7c0a93c39a859

SHA1
e415d3e425297cab1e11352ab5ac487461b37404

SHA256
7e0e70b41e76af5e6d4395505c6d52288936c603748a4ba3908cca28af282564

SHA512
ed51863d7c93d4da57be4c82fea31d7d30b8d141879d61b98ba7a735e33e9872014331e9788ff1ae2fb84ff5a5bbdc841332c2d15dd41fc948e0ceb136796068

Download Submit
memory/2292-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/2292-239-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-1135-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2292-1134-0x0000000009450000-0x00000000094A0000-memory.dmp

Filesize
320KB

Download
memory/2292-1133-0x00000000093D0000-0x0000000009446000-memory.dmp

Filesize
472KB

Download
memory/2292-1132-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/2292-1131-0x0000000008B90000-0x0000000008D52000-memory.dmp

Filesize
1.8MB

Download
memory/2292-1129-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2292-1130-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2292-1128-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2292-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/2292-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/2292-1124-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2292-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2292-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/2292-1120-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/2292-247-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-210-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-213-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-215-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-211-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-216-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/2292-218-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2292-219-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-220-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2292-222-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2292-223-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-225-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-227-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-229-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-231-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-233-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-235-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-245-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-237-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-241-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2292-243-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4296-191-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-168-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/4296-183-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4296-204-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/4296-179-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-203-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/4296-201-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/4296-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4296-199-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/4296-198-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/4296-197-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-195-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-181-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-175-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-189-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-187-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-177-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-185-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4296-193-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-173-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-171-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-170-0x00000000070E0000-0x00000000070F2000-memory.dmp

Filesize
72KB

Download
memory/4296-169-0x00000000071F0000-0x0000000007794000-memory.dmp

Filesize
5.6MB

Download
memory/4908-161-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/5012-1142-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/5012-1141-0x0000000000480000-0x00000000004B2000-memory.dmp

Filesize
200KB

Download