amadey | 4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20

Analysis

max time kernel
136s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe
Size

1.0MB
MD5

51a305cea92497f9660d0801b503963d
SHA1

419d039a8801f5ccafca269b96ad058d0d548cad
SHA256

4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20
SHA512

9b8801fb4f9550bd144843101959cbac214d349595bba91fa489b460d2efd8897b6213e81efe5e3cd1dd14063bfa962aa9c99fb6160fd64d7b069c7de5b0dc93
SSDEEP

12288:rMrXy90YRoMKFxB+GZjMVfsMnfBCQOwfPmpBOrz8FmXdkHAfmOL39L6hz1rxp4rd:Uy/uMKF9ZinpCSfPSO3umiAmOL2dwXt

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu869781.execor3313.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu869781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu869781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu869781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu869781.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor3313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor3313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor3313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor3313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu869781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu869781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor3313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor3313.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4868-208-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-209-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-211-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-213-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-217-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-221-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-223-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-225-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-227-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-229-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-231-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-233-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-235-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-237-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-239-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-241-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-243-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4868-245-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge959119.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge959119.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kina6183.exekina3917.exekina3786.exebu869781.execor3313.exedUt11s99.exeen950622.exege959119.exemetafor.exemetafor.exemetafor.exe

pid	process
2828	kina6183.exe
800	kina3917.exe
4040	kina3786.exe
1244	bu869781.exe
972	cor3313.exe
4868	dUt11s99.exe
1528	en950622.exe
4656	ge959119.exe
368	metafor.exe
3416	metafor.exe
972	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu869781.execor3313.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu869781.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor3313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor3313.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exekina6183.exekina3917.exekina3786.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina6183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina6183.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina3917.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3786.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina3786.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4676 972 WerFault.exe cor3313.exe
2740 4868 WerFault.exe dUt11s99.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3972 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu869781.execor3313.exedUt11s99.exeen950622.exe

pid process

1244 bu869781.exe
1244 bu869781.exe
972 cor3313.exe
972 cor3313.exe
4868 dUt11s99.exe
4868 dUt11s99.exe
1528 en950622.exe
1528 en950622.exe

pid	pid_target	process	target process
4676	972	WerFault.exe	cor3313.exe
2740	4868	WerFault.exe	dUt11s99.exe

pid	process
3972	schtasks.exe

pid	process
1244	bu869781.exe
1244	bu869781.exe
972	cor3313.exe
972	cor3313.exe
4868	dUt11s99.exe
4868	dUt11s99.exe
1528	en950622.exe
1528	en950622.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu869781.execor3313.exedUt11s99.exeen950622.exe

description	pid	process
Token: SeDebugPrivilege	1244	bu869781.exe
Token: SeDebugPrivilege	972	cor3313.exe
Token: SeDebugPrivilege	4868	dUt11s99.exe
Token: SeDebugPrivilege	1528	en950622.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exekina6183.exekina3917.exekina3786.exege959119.exemetafor.execmd.exe

description	pid	process	target process
PID 4000 wrote to memory of 2828	4000	4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe	kina6183.exe
PID 4000 wrote to memory of 2828	4000	4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe	kina6183.exe
PID 4000 wrote to memory of 2828	4000	4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe	kina6183.exe
PID 2828 wrote to memory of 800	2828	kina6183.exe	kina3917.exe
PID 2828 wrote to memory of 800	2828	kina6183.exe	kina3917.exe
PID 2828 wrote to memory of 800	2828	kina6183.exe	kina3917.exe
PID 800 wrote to memory of 4040	800	kina3917.exe	kina3786.exe
PID 800 wrote to memory of 4040	800	kina3917.exe	kina3786.exe
PID 800 wrote to memory of 4040	800	kina3917.exe	kina3786.exe
PID 4040 wrote to memory of 1244	4040	kina3786.exe	bu869781.exe
PID 4040 wrote to memory of 1244	4040	kina3786.exe	bu869781.exe
PID 4040 wrote to memory of 972	4040	kina3786.exe	cor3313.exe
PID 4040 wrote to memory of 972	4040	kina3786.exe	cor3313.exe
PID 4040 wrote to memory of 972	4040	kina3786.exe	cor3313.exe
PID 800 wrote to memory of 4868	800	kina3917.exe	dUt11s99.exe
PID 800 wrote to memory of 4868	800	kina3917.exe	dUt11s99.exe
PID 800 wrote to memory of 4868	800	kina3917.exe	dUt11s99.exe
PID 2828 wrote to memory of 1528	2828	kina6183.exe	en950622.exe
PID 2828 wrote to memory of 1528	2828	kina6183.exe	en950622.exe
PID 2828 wrote to memory of 1528	2828	kina6183.exe	en950622.exe
PID 4000 wrote to memory of 4656	4000	4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe	ge959119.exe
PID 4000 wrote to memory of 4656	4000	4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe	ge959119.exe
PID 4000 wrote to memory of 4656	4000	4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe	ge959119.exe
PID 4656 wrote to memory of 368	4656	ge959119.exe	metafor.exe
PID 4656 wrote to memory of 368	4656	ge959119.exe	metafor.exe
PID 4656 wrote to memory of 368	4656	ge959119.exe	metafor.exe
PID 368 wrote to memory of 3972	368	metafor.exe	schtasks.exe
PID 368 wrote to memory of 3972	368	metafor.exe	schtasks.exe
PID 368 wrote to memory of 3972	368	metafor.exe	schtasks.exe
PID 368 wrote to memory of 1732	368	metafor.exe	cmd.exe
PID 368 wrote to memory of 1732	368	metafor.exe	cmd.exe
PID 368 wrote to memory of 1732	368	metafor.exe	cmd.exe
PID 1732 wrote to memory of 4368	1732	cmd.exe	cmd.exe
PID 1732 wrote to memory of 4368	1732	cmd.exe	cmd.exe
PID 1732 wrote to memory of 4368	1732	cmd.exe	cmd.exe
PID 1732 wrote to memory of 1744	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 1744	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 1744	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 804	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 804	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 804	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 4716	1732	cmd.exe	cmd.exe
PID 1732 wrote to memory of 4716	1732	cmd.exe	cmd.exe
PID 1732 wrote to memory of 4716	1732	cmd.exe	cmd.exe
PID 1732 wrote to memory of 4832	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 4832	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 4832	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 1868	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 1868	1732	cmd.exe	cacls.exe
PID 1732 wrote to memory of 1868	1732	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe
"C:\Users\Admin\AppData\Local\Temp\4d9f8d0830c40386dc837601987b082e7900595dbc10b72d2f9e8b1eb9787d20.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6183.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6183.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3917.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3917.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3786.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3786.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu869781.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu869781.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3313.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3313.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1028
        6⤵
        Program crash
        
        PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUt11s99.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUt11s99.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1352
        5⤵
        Program crash
        
        PID:2740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en950622.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en950622.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge959119.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge959119.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:4832
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 972 -ip 972
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4868 -ip 4868
1⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3416

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
e2c5b6a79b717ffee42e9be328c1bddc

SHA1
e352aa48a964c9e83d7be31f129d2c6575a4a97c

SHA256
49371deae12ef7b32e29bd9935e5c85248f5955adf13dd43ba4e116cc6c838b3

SHA512
2c4e715391e5e4f4be3a1ec73c7ca53bb89a57e9e5f13575c3c6d36f5398c495bb03b0ae5b6492f7eb68471be07128031227c7b2048871df1b281d63caab086c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
e2c5b6a79b717ffee42e9be328c1bddc

SHA1
e352aa48a964c9e83d7be31f129d2c6575a4a97c

SHA256
49371deae12ef7b32e29bd9935e5c85248f5955adf13dd43ba4e116cc6c838b3

SHA512
2c4e715391e5e4f4be3a1ec73c7ca53bb89a57e9e5f13575c3c6d36f5398c495bb03b0ae5b6492f7eb68471be07128031227c7b2048871df1b281d63caab086c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
e2c5b6a79b717ffee42e9be328c1bddc

SHA1
e352aa48a964c9e83d7be31f129d2c6575a4a97c

SHA256
49371deae12ef7b32e29bd9935e5c85248f5955adf13dd43ba4e116cc6c838b3

SHA512
2c4e715391e5e4f4be3a1ec73c7ca53bb89a57e9e5f13575c3c6d36f5398c495bb03b0ae5b6492f7eb68471be07128031227c7b2048871df1b281d63caab086c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
e2c5b6a79b717ffee42e9be328c1bddc

SHA1
e352aa48a964c9e83d7be31f129d2c6575a4a97c

SHA256
49371deae12ef7b32e29bd9935e5c85248f5955adf13dd43ba4e116cc6c838b3

SHA512
2c4e715391e5e4f4be3a1ec73c7ca53bb89a57e9e5f13575c3c6d36f5398c495bb03b0ae5b6492f7eb68471be07128031227c7b2048871df1b281d63caab086c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
e2c5b6a79b717ffee42e9be328c1bddc

SHA1
e352aa48a964c9e83d7be31f129d2c6575a4a97c

SHA256
49371deae12ef7b32e29bd9935e5c85248f5955adf13dd43ba4e116cc6c838b3

SHA512
2c4e715391e5e4f4be3a1ec73c7ca53bb89a57e9e5f13575c3c6d36f5398c495bb03b0ae5b6492f7eb68471be07128031227c7b2048871df1b281d63caab086c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge959119.exe

Filesize
227KB

MD5
e2c5b6a79b717ffee42e9be328c1bddc

SHA1
e352aa48a964c9e83d7be31f129d2c6575a4a97c

SHA256
49371deae12ef7b32e29bd9935e5c85248f5955adf13dd43ba4e116cc6c838b3

SHA512
2c4e715391e5e4f4be3a1ec73c7ca53bb89a57e9e5f13575c3c6d36f5398c495bb03b0ae5b6492f7eb68471be07128031227c7b2048871df1b281d63caab086c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge959119.exe

Filesize
227KB

MD5
e2c5b6a79b717ffee42e9be328c1bddc

SHA1
e352aa48a964c9e83d7be31f129d2c6575a4a97c

SHA256
49371deae12ef7b32e29bd9935e5c85248f5955adf13dd43ba4e116cc6c838b3

SHA512
2c4e715391e5e4f4be3a1ec73c7ca53bb89a57e9e5f13575c3c6d36f5398c495bb03b0ae5b6492f7eb68471be07128031227c7b2048871df1b281d63caab086c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6183.exe

Filesize
847KB

MD5
d094a17b55f40afad17283d05d441d61

SHA1
5fb290f87599238f65856c62cf23c68b5f51b33c

SHA256
3a9e5af03cc1ffce954c697e44b885c5596d86f98e2a2d8a162b5fd77292a4a7

SHA512
927144f17e7bf229a53fe5df47700f2945890564459e34ed8763974c8b0cc177b475dbff2a2d68c1aa9c7b8c8c81c8ee893fc46509c6d17230d2281cc42f6f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6183.exe

Filesize
847KB

MD5
d094a17b55f40afad17283d05d441d61

SHA1
5fb290f87599238f65856c62cf23c68b5f51b33c

SHA256
3a9e5af03cc1ffce954c697e44b885c5596d86f98e2a2d8a162b5fd77292a4a7

SHA512
927144f17e7bf229a53fe5df47700f2945890564459e34ed8763974c8b0cc177b475dbff2a2d68c1aa9c7b8c8c81c8ee893fc46509c6d17230d2281cc42f6f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en950622.exe

Filesize
175KB

MD5
0af4cf2beb3262a271a32ca72c72a296

SHA1
3b952827e9001aeecca5e539b8415a0314b1b957

SHA256
2d63d191369ab34fd0a4d4169503ac77812786ccd36c0429fc7a984be641b05a

SHA512
76fa0058556db7b7c0833d80e6c8161d8aa27cda4f5fbd365b03237592dc0075b2a44a09a85d2bc0831bd0fa38833af29f4ab20522695632acfd409aef405aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en950622.exe

Filesize
175KB

MD5
0af4cf2beb3262a271a32ca72c72a296

SHA1
3b952827e9001aeecca5e539b8415a0314b1b957

SHA256
2d63d191369ab34fd0a4d4169503ac77812786ccd36c0429fc7a984be641b05a

SHA512
76fa0058556db7b7c0833d80e6c8161d8aa27cda4f5fbd365b03237592dc0075b2a44a09a85d2bc0831bd0fa38833af29f4ab20522695632acfd409aef405aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3917.exe

Filesize
705KB

MD5
b7d921ae8fcc18b50cacb995fed89b69

SHA1
ab874e4b2a354eaba1691a77481c31f741804311

SHA256
11f0a7121fd9d6085900fffa39eb4e263f5ac01091306f1f955d4aac0ce2d6f6

SHA512
e7f3b876391a9bb7c0cf90924f45d35ed94c13092b5a346e94cbb667751cefec00280da9cf2e7f0fdb300ae2a9aa41f1d84bb59eb8084ee9772764eb6e7d7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3917.exe

Filesize
705KB

MD5
b7d921ae8fcc18b50cacb995fed89b69

SHA1
ab874e4b2a354eaba1691a77481c31f741804311

SHA256
11f0a7121fd9d6085900fffa39eb4e263f5ac01091306f1f955d4aac0ce2d6f6

SHA512
e7f3b876391a9bb7c0cf90924f45d35ed94c13092b5a346e94cbb667751cefec00280da9cf2e7f0fdb300ae2a9aa41f1d84bb59eb8084ee9772764eb6e7d7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUt11s99.exe

Filesize
380KB

MD5
a389c925f1055410f624ea01ed58042e

SHA1
1c91fce37917e738438aeb0780e94e746ac9737a

SHA256
224c10a077d70d3fda5c6c17c1ffa1cee4da5b64c4b9657f87fbd59daaa24003

SHA512
dd8944fe0dda60421264bd24908c3305f74488857931e496128a18f8ef9c295aaf57742e482ac105db172ea8997841698b80891adee82615341cda43fe4258d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUt11s99.exe

Filesize
380KB

MD5
a389c925f1055410f624ea01ed58042e

SHA1
1c91fce37917e738438aeb0780e94e746ac9737a

SHA256
224c10a077d70d3fda5c6c17c1ffa1cee4da5b64c4b9657f87fbd59daaa24003

SHA512
dd8944fe0dda60421264bd24908c3305f74488857931e496128a18f8ef9c295aaf57742e482ac105db172ea8997841698b80891adee82615341cda43fe4258d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3786.exe

Filesize
349KB

MD5
87e32cd8190ad06972fa76a36487596d

SHA1
248c9bd713856b05908d6b8bfa2066e9890dfde7

SHA256
d14280118d637d0829bbc5fc1ec0e470a06356178c270fbafd616abecd48ab98

SHA512
e6b3aaa909749d4c817558d57f68e25d488dfc48a46c986fa93d6dbef5cc84809c8f231c5a01282b259161d3e3947b832251f6ef677c6a920706be54331ffd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3786.exe

Filesize
349KB

MD5
87e32cd8190ad06972fa76a36487596d

SHA1
248c9bd713856b05908d6b8bfa2066e9890dfde7

SHA256
d14280118d637d0829bbc5fc1ec0e470a06356178c270fbafd616abecd48ab98

SHA512
e6b3aaa909749d4c817558d57f68e25d488dfc48a46c986fa93d6dbef5cc84809c8f231c5a01282b259161d3e3947b832251f6ef677c6a920706be54331ffd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu869781.exe

Filesize
11KB

MD5
b2faf09c34bf68c65658079ec016f47b

SHA1
6d4b1a4e4c024bbd34bf270d45d0c5dfb5158968

SHA256
b79b391b8381cedf87b30d56bfd915f47d1679df7778fbd74e464686db739657

SHA512
72d59d1768633c1c32d7ffd1776c6f675bd434728e06731af6df35b0a68a2f836811d4087fbd5bb0950f87d5186fefcd45bf2ec1486b9febc1c980ea9242ea7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu869781.exe

Filesize
11KB

MD5
b2faf09c34bf68c65658079ec016f47b

SHA1
6d4b1a4e4c024bbd34bf270d45d0c5dfb5158968

SHA256
b79b391b8381cedf87b30d56bfd915f47d1679df7778fbd74e464686db739657

SHA512
72d59d1768633c1c32d7ffd1776c6f675bd434728e06731af6df35b0a68a2f836811d4087fbd5bb0950f87d5186fefcd45bf2ec1486b9febc1c980ea9242ea7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3313.exe

Filesize
321KB

MD5
966cd0a982e3a46ea33da8e93d00ec5a

SHA1
62320a65998cf44c9246296982b107507eba508e

SHA256
104c37b855d9f47494aad440e72fce5096834fbbc9a02c1033b37cef2722899c

SHA512
2d804b31c37962df831c8711dcb06cbc8dc80e2e7c3a8110a18621ea6236ac3df80149f86d2f4444282358c4c5282270e685fc851701fda30110d12ce2ecc1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3313.exe

Filesize
321KB

MD5
966cd0a982e3a46ea33da8e93d00ec5a

SHA1
62320a65998cf44c9246296982b107507eba508e

SHA256
104c37b855d9f47494aad440e72fce5096834fbbc9a02c1033b37cef2722899c

SHA512
2d804b31c37962df831c8711dcb06cbc8dc80e2e7c3a8110a18621ea6236ac3df80149f86d2f4444282358c4c5282270e685fc851701fda30110d12ce2ecc1e3

Download Submit
memory/972-180-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-201-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/972-182-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-184-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-186-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-188-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-190-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-192-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-194-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-196-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-198-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-199-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/972-200-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/972-178-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-203-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/972-167-0x00000000072A0000-0x0000000007844000-memory.dmp

Filesize
5.6MB

Download
memory/972-176-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-172-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-174-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-171-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/972-170-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/972-169-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/972-168-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/1244-161-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/1528-1140-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1528-1139-0x0000000000770000-0x00000000007A2000-memory.dmp

Filesize
200KB

Download
memory/4868-216-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4868-225-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-227-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-229-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-231-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-233-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-235-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-237-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-239-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-241-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-243-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-245-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-1118-0x0000000007930000-0x0000000007F48000-memory.dmp

Filesize
6.1MB

Download
memory/4868-1119-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4868-1120-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4868-1121-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4868-1122-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4868-1124-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4868-1125-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4868-1126-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/4868-1127-0x0000000008D50000-0x000000000927C000-memory.dmp

Filesize
5.2MB

Download
memory/4868-1128-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4868-1129-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4868-1130-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4868-1131-0x0000000009610000-0x0000000009686000-memory.dmp

Filesize
472KB

Download
memory/4868-1132-0x0000000009690000-0x00000000096E0000-memory.dmp

Filesize
320KB

Download
memory/4868-223-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-220-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4868-221-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-218-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4868-217-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-215-0x0000000002BB0000-0x0000000002BFB000-memory.dmp

Filesize
300KB

Download
memory/4868-213-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-211-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-209-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-208-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4868-1133-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download