redline | b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2023 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe
Size

736KB
MD5

49f0fbaac9c826e914e98a1d8bd51d15
SHA1

353110885a8003425d369d4d8495301d8e65b5b1
SHA256

b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6
SHA512

b9d6f3221efd550a384eb23d20c85a29c5bc59e1543f2cd6b2396f00a3d9cf6dca7b8dbf82342163aac4cc7f1c46d0c03b1892b7aedbd9901683235f68b27a92
SSDEEP

12288:6Mrmy902i9+v0Es5WLaoY0jfWT3Lycf+IGF0fROu+YLa3sd8ZAciq6/S:oyznvm5WLZfW2NITfzvCsd8p4S

Score

10^/10

redline maxi metro evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

metro

83.97.73.126:19048

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3009070.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3009070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3009070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3009070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3009070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3009070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3009070.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d0115518.exemetado.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	d0115518.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metado.exe

Executes dropped EXE 11 IoCs

Processes:

v1774662.exev1656087.exev1330091.exea3009070.exeb9133797.exec1949446.exed0115518.exemetado.exee5532363.exemetado.exemetado.exe

pid	process
1980	v1774662.exe
4228	v1656087.exe
1152	v1330091.exe
1924	a3009070.exe
4660	b9133797.exe
112	c1949446.exe
2556	d0115518.exe
3836	metado.exe
3712	e5532363.exe
2892	metado.exe
4072	metado.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5080 rundll32.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a3009070.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3009070.exe

pid	process
5080	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3009070.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v1330091.exeb1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exev1774662.exev1656087.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1330091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1330091.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1774662.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1774662.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1656087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1656087.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b9133797.exee5532363.exe

description	pid	process	target process
PID 4660 set thread context of 4636	4660	b9133797.exe	AppLaunch.exe
PID 3712 set thread context of 404	3712	e5532363.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4212 4660 WerFault.exe b9133797.exe
4912 112 WerFault.exe c1949446.exe
5004 3712 WerFault.exe e5532363.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3420 schtasks.exe

pid	pid_target	process	target process
4212	4660	WerFault.exe	b9133797.exe
4912	112	WerFault.exe	c1949446.exe
5004	3712	WerFault.exe	e5532363.exe

pid	process
3420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

a3009070.exeAppLaunch.exeAppLaunch.exe

pid	process
1924	a3009070.exe
1924	a3009070.exe
4636	AppLaunch.exe
4636	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe
404	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a3009070.exeAppLaunch.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 1924 a3009070.exe
Token: SeDebugPrivilege 4636 AppLaunch.exe
Token: SeDebugPrivilege 404 AppLaunch.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d0115518.exe

pid process

2556 d0115518.exe

description	pid	process
Token: SeDebugPrivilege	1924	a3009070.exe
Token: SeDebugPrivilege	4636	AppLaunch.exe
Token: SeDebugPrivilege	404	AppLaunch.exe

pid	process
2556	d0115518.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exev1774662.exev1656087.exev1330091.exeb9133797.exed0115518.exemetado.execmd.exee5532363.exe

description	pid	process	target process
PID 4708 wrote to memory of 1980	4708	b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe	v1774662.exe
PID 4708 wrote to memory of 1980	4708	b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe	v1774662.exe
PID 4708 wrote to memory of 1980	4708	b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe	v1774662.exe
PID 1980 wrote to memory of 4228	1980	v1774662.exe	v1656087.exe
PID 1980 wrote to memory of 4228	1980	v1774662.exe	v1656087.exe
PID 1980 wrote to memory of 4228	1980	v1774662.exe	v1656087.exe
PID 4228 wrote to memory of 1152	4228	v1656087.exe	v1330091.exe
PID 4228 wrote to memory of 1152	4228	v1656087.exe	v1330091.exe
PID 4228 wrote to memory of 1152	4228	v1656087.exe	v1330091.exe
PID 1152 wrote to memory of 1924	1152	v1330091.exe	a3009070.exe
PID 1152 wrote to memory of 1924	1152	v1330091.exe	a3009070.exe
PID 1152 wrote to memory of 4660	1152	v1330091.exe	b9133797.exe
PID 1152 wrote to memory of 4660	1152	v1330091.exe	b9133797.exe
PID 1152 wrote to memory of 4660	1152	v1330091.exe	b9133797.exe
PID 4660 wrote to memory of 4636	4660	b9133797.exe	AppLaunch.exe
PID 4660 wrote to memory of 4636	4660	b9133797.exe	AppLaunch.exe
PID 4660 wrote to memory of 4636	4660	b9133797.exe	AppLaunch.exe
PID 4660 wrote to memory of 4636	4660	b9133797.exe	AppLaunch.exe
PID 4660 wrote to memory of 4636	4660	b9133797.exe	AppLaunch.exe
PID 4228 wrote to memory of 112	4228	v1656087.exe	c1949446.exe
PID 4228 wrote to memory of 112	4228	v1656087.exe	c1949446.exe
PID 4228 wrote to memory of 112	4228	v1656087.exe	c1949446.exe
PID 1980 wrote to memory of 2556	1980	v1774662.exe	d0115518.exe
PID 1980 wrote to memory of 2556	1980	v1774662.exe	d0115518.exe
PID 1980 wrote to memory of 2556	1980	v1774662.exe	d0115518.exe
PID 2556 wrote to memory of 3836	2556	d0115518.exe	metado.exe
PID 2556 wrote to memory of 3836	2556	d0115518.exe	metado.exe
PID 2556 wrote to memory of 3836	2556	d0115518.exe	metado.exe
PID 4708 wrote to memory of 3712	4708	b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe	e5532363.exe
PID 4708 wrote to memory of 3712	4708	b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe	e5532363.exe
PID 4708 wrote to memory of 3712	4708	b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe	e5532363.exe
PID 3836 wrote to memory of 3420	3836	metado.exe	schtasks.exe
PID 3836 wrote to memory of 3420	3836	metado.exe	schtasks.exe
PID 3836 wrote to memory of 3420	3836	metado.exe	schtasks.exe
PID 3836 wrote to memory of 1324	3836	metado.exe	cmd.exe
PID 3836 wrote to memory of 1324	3836	metado.exe	cmd.exe
PID 3836 wrote to memory of 1324	3836	metado.exe	cmd.exe
PID 1324 wrote to memory of 3320	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 3320	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 3320	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2824	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 2824	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 2824	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 3360	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 3360	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 3360	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 3444	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 3444	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 3444	1324	cmd.exe	cmd.exe
PID 1324 wrote to memory of 384	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 384	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 384	1324	cmd.exe	cacls.exe
PID 3712 wrote to memory of 404	3712	e5532363.exe	AppLaunch.exe
PID 3712 wrote to memory of 404	3712	e5532363.exe	AppLaunch.exe
PID 3712 wrote to memory of 404	3712	e5532363.exe	AppLaunch.exe
PID 3712 wrote to memory of 404	3712	e5532363.exe	AppLaunch.exe
PID 3712 wrote to memory of 404	3712	e5532363.exe	AppLaunch.exe
PID 1324 wrote to memory of 2536	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 2536	1324	cmd.exe	cacls.exe
PID 1324 wrote to memory of 2536	1324	cmd.exe	cacls.exe
PID 3836 wrote to memory of 5080	3836	metado.exe	rundll32.exe
PID 3836 wrote to memory of 5080	3836	metado.exe	rundll32.exe
PID 3836 wrote to memory of 5080	3836	metado.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe
"C:\Users\Admin\AppData\Local\Temp\b1712131bb0536845ebf4a8a37ded6ba1c4919a161279c4374ab372c64ea9cb6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1774662.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1774662.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1656087.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1656087.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1330091.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1330091.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3009070.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3009070.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9133797.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9133797.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 140
6⤵
- Program crash
PID:4212

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1949446.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1949446.exe
4⤵
- Executes dropped EXE
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 928
5⤵
- Program crash
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0115518.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0115518.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F
5⤵
- Creates scheduled task(s)
PID:3420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3320

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:N"
6⤵
PID:2824

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:R" /E
6⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3444

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:384

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:2536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5532363.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5532363.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 568
3⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4660 -ip 4660
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 112 -ip 112
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3712 -ip 3712
1⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5532363.exe
Filesize
279KB

MD5
487852c7e6a3c65ada79f2c2198691f6

SHA1
fa2bcd903dae308e44fb6f4defda9265a3d1e475

SHA256
dfe4f1e5ed75d6f8e9be63c80466e255aa644e291a55b9e19c4b4faf17009b8d

SHA512
980ee9bad65b13ad207e78d77107fc1cc82a74d2672847ef966fb758a0961170688d2e585384f2633e96f7529250bc07a2a5b15b910d423a78b00ec47d9249b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5532363.exe
Filesize
279KB

MD5
487852c7e6a3c65ada79f2c2198691f6

SHA1
fa2bcd903dae308e44fb6f4defda9265a3d1e475

SHA256
dfe4f1e5ed75d6f8e9be63c80466e255aa644e291a55b9e19c4b4faf17009b8d

SHA512
980ee9bad65b13ad207e78d77107fc1cc82a74d2672847ef966fb758a0961170688d2e585384f2633e96f7529250bc07a2a5b15b910d423a78b00ec47d9249b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1774662.exe
Filesize
530KB

MD5
0d2fe558e1b46d35aa8b040a5c3057d9

SHA1
dd7d3efb7d001fc2fd49eba85f2cc0df8c66de64

SHA256
3756252707cec50ae55b798078a97dfff6f65eab386006ecc68bce06f57af484

SHA512
e6d6f7e245a8c66d77bdc8ab7c6ab4600d5d0766e3108c66caaf69b92c3649c98df690bd9bf70554cd447ba2d623111050fde404853400556baae8707773f04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1774662.exe
Filesize
530KB

MD5
0d2fe558e1b46d35aa8b040a5c3057d9

SHA1
dd7d3efb7d001fc2fd49eba85f2cc0df8c66de64

SHA256
3756252707cec50ae55b798078a97dfff6f65eab386006ecc68bce06f57af484

SHA512
e6d6f7e245a8c66d77bdc8ab7c6ab4600d5d0766e3108c66caaf69b92c3649c98df690bd9bf70554cd447ba2d623111050fde404853400556baae8707773f04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0115518.exe
Filesize
219KB

MD5
9c4de29f1e2f9f1af7b5b19161add69e

SHA1
82122f673436040b76ff9dd9bfc8b1ac7727d882

SHA256
cff02d3c78a09afe3f0032ed06a9a6af80cb24ac08afc8ff4ac43dbe88114551

SHA512
b2e63d568ffc96926018dbb060853ff7dcd9ffeb094dda63ba05cf3816519edd9f1e9b753c9aa6ce6cd814acd49a36992d2ac4e5482626abc0a5ff048725ecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0115518.exe
Filesize
219KB

MD5
9c4de29f1e2f9f1af7b5b19161add69e

SHA1
82122f673436040b76ff9dd9bfc8b1ac7727d882

SHA256
cff02d3c78a09afe3f0032ed06a9a6af80cb24ac08afc8ff4ac43dbe88114551

SHA512
b2e63d568ffc96926018dbb060853ff7dcd9ffeb094dda63ba05cf3816519edd9f1e9b753c9aa6ce6cd814acd49a36992d2ac4e5482626abc0a5ff048725ecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1656087.exe
Filesize
357KB

MD5
9f61caec88dd741441a41c3646d5622f

SHA1
385126075c418a5893b55602b24228110104a11a

SHA256
ab25641cf2114f309e838c36a3438fbb7dc842aad59a3a1ad7f0125e3f5d94dd

SHA512
97cc825413a50ed6fa9884dfdd2516404a815a4f744892bbabc206cf19e0360e318e870890dd6a62cba0641b279aa5c904540bfde89a2f8164f80fb9c5f1c19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1656087.exe
Filesize
357KB

MD5
9f61caec88dd741441a41c3646d5622f

SHA1
385126075c418a5893b55602b24228110104a11a

SHA256
ab25641cf2114f309e838c36a3438fbb7dc842aad59a3a1ad7f0125e3f5d94dd

SHA512
97cc825413a50ed6fa9884dfdd2516404a815a4f744892bbabc206cf19e0360e318e870890dd6a62cba0641b279aa5c904540bfde89a2f8164f80fb9c5f1c19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1949446.exe
Filesize
172KB

MD5
c2291035ba3ae83435f8653f4f4f8f48

SHA1
afaed2b8bc6a4dbe9b86992d569b9e56cf180daa

SHA256
2e200de33c10607db2acebc77431993f62f2e6373456b1c122153cfa32ac446a

SHA512
7393eece063d6ccb7852a34ffbb7e9f67c322ba3a65b4b075a39b91dee456749500f25dbf75206d0ab95a513ae6067303091a00be53542a670cfb3a2fd8f3d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1949446.exe
Filesize
172KB

MD5
c2291035ba3ae83435f8653f4f4f8f48

SHA1
afaed2b8bc6a4dbe9b86992d569b9e56cf180daa

SHA256
2e200de33c10607db2acebc77431993f62f2e6373456b1c122153cfa32ac446a

SHA512
7393eece063d6ccb7852a34ffbb7e9f67c322ba3a65b4b075a39b91dee456749500f25dbf75206d0ab95a513ae6067303091a00be53542a670cfb3a2fd8f3d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1330091.exe
Filesize
202KB

MD5
4c168715833190eb7b4c14ea27956e25

SHA1
6bce0c32bd1baecce14b3e8e3d2d03f4189427d7

SHA256
7f9975ddf745f5ad1db74087f1bb498837bb7db9db1c379f5e2e64212d14a2de

SHA512
59cde293cd5c09073ad9275bed196907c7de0aa2160ccfbcad384c204172983847d28a3bc7e396ebeb8cd5c0ce08cab27928d91d7144962d5c7b1a2d56d5438e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1330091.exe
Filesize
202KB

MD5
4c168715833190eb7b4c14ea27956e25

SHA1
6bce0c32bd1baecce14b3e8e3d2d03f4189427d7

SHA256
7f9975ddf745f5ad1db74087f1bb498837bb7db9db1c379f5e2e64212d14a2de

SHA512
59cde293cd5c09073ad9275bed196907c7de0aa2160ccfbcad384c204172983847d28a3bc7e396ebeb8cd5c0ce08cab27928d91d7144962d5c7b1a2d56d5438e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3009070.exe
Filesize
12KB

MD5
19ace7c4d1557e0d37599e2a35a58699

SHA1
5c0e14e7346cfacf48752802a3c57755eaa17265

SHA256
bdae0fac56ee135b3e736fb6db8a9199e4c9de6e9dfc0dfb6889897bf1711de8

SHA512
a88ee988989bbbe304d4b52869827e3d4521567f1daa8e5659bf9d48d416288d62628d1be1991bb9c0b29215aade16cff1b1a67bd231c5eb193843e94ba8ea87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3009070.exe
Filesize
12KB

MD5
19ace7c4d1557e0d37599e2a35a58699

SHA1
5c0e14e7346cfacf48752802a3c57755eaa17265

SHA256
bdae0fac56ee135b3e736fb6db8a9199e4c9de6e9dfc0dfb6889897bf1711de8

SHA512
a88ee988989bbbe304d4b52869827e3d4521567f1daa8e5659bf9d48d416288d62628d1be1991bb9c0b29215aade16cff1b1a67bd231c5eb193843e94ba8ea87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9133797.exe
Filesize
117KB

MD5
88fe4261fbf12523dd6932e9099271bb

SHA1
794dfb564c722ebdc19a80e4fe5fea8c8f725920

SHA256
5c012261c47a5553988f32b8e8199acb865f820896321a546fa6e9b84039754b

SHA512
808cb7a77300bcd981c15b866aa9041b7c57d9d6fa802f81ccfe60e5c288a4bb4d5900de44b9ace80120b74ab758454ae0f58f6ff8f1ebf2e09da5d230ef0ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9133797.exe
Filesize
117KB

MD5
88fe4261fbf12523dd6932e9099271bb

SHA1
794dfb564c722ebdc19a80e4fe5fea8c8f725920

SHA256
5c012261c47a5553988f32b8e8199acb865f820896321a546fa6e9b84039754b

SHA512
808cb7a77300bcd981c15b866aa9041b7c57d9d6fa802f81ccfe60e5c288a4bb4d5900de44b9ace80120b74ab758454ae0f58f6ff8f1ebf2e09da5d230ef0ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
219KB

MD5
9c4de29f1e2f9f1af7b5b19161add69e

SHA1
82122f673436040b76ff9dd9bfc8b1ac7727d882

SHA256
cff02d3c78a09afe3f0032ed06a9a6af80cb24ac08afc8ff4ac43dbe88114551

SHA512
b2e63d568ffc96926018dbb060853ff7dcd9ffeb094dda63ba05cf3816519edd9f1e9b753c9aa6ce6cd814acd49a36992d2ac4e5482626abc0a5ff048725ecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
219KB

MD5
9c4de29f1e2f9f1af7b5b19161add69e

SHA1
82122f673436040b76ff9dd9bfc8b1ac7727d882

SHA256
cff02d3c78a09afe3f0032ed06a9a6af80cb24ac08afc8ff4ac43dbe88114551

SHA512
b2e63d568ffc96926018dbb060853ff7dcd9ffeb094dda63ba05cf3816519edd9f1e9b753c9aa6ce6cd814acd49a36992d2ac4e5482626abc0a5ff048725ecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
219KB

MD5
9c4de29f1e2f9f1af7b5b19161add69e

SHA1
82122f673436040b76ff9dd9bfc8b1ac7727d882

SHA256
cff02d3c78a09afe3f0032ed06a9a6af80cb24ac08afc8ff4ac43dbe88114551

SHA512
b2e63d568ffc96926018dbb060853ff7dcd9ffeb094dda63ba05cf3816519edd9f1e9b753c9aa6ce6cd814acd49a36992d2ac4e5482626abc0a5ff048725ecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
219KB

MD5
9c4de29f1e2f9f1af7b5b19161add69e

SHA1
82122f673436040b76ff9dd9bfc8b1ac7727d882

SHA256
cff02d3c78a09afe3f0032ed06a9a6af80cb24ac08afc8ff4ac43dbe88114551

SHA512
b2e63d568ffc96926018dbb060853ff7dcd9ffeb094dda63ba05cf3816519edd9f1e9b753c9aa6ce6cd814acd49a36992d2ac4e5482626abc0a5ff048725ecf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
219KB

MD5
9c4de29f1e2f9f1af7b5b19161add69e

SHA1
82122f673436040b76ff9dd9bfc8b1ac7727d882

SHA256
cff02d3c78a09afe3f0032ed06a9a6af80cb24ac08afc8ff4ac43dbe88114551

SHA512
b2e63d568ffc96926018dbb060853ff7dcd9ffeb094dda63ba05cf3816519edd9f1e9b753c9aa6ce6cd814acd49a36992d2ac4e5482626abc0a5ff048725ecf0

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/112-175-0x0000000000790000-0x00000000007C0000-memory.dmp

Filesize
192KB

Download
memory/404-204-0x00000000057B0000-0x0000000005826000-memory.dmp

Filesize
472KB

Download
memory/404-209-0x00000000053C0000-0x0000000005410000-memory.dmp

Filesize
320KB

Download
memory/404-201-0x00000000054B0000-0x00000000054EC000-memory.dmp

Filesize
240KB

Download
memory/404-205-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/404-206-0x0000000006B50000-0x00000000070F4000-memory.dmp

Filesize
5.6MB

Download
memory/404-207-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/404-208-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/404-202-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/404-210-0x0000000006970000-0x0000000006B32000-memory.dmp

Filesize
1.8MB

Download
memory/404-211-0x0000000008D20000-0x000000000924C000-memory.dmp

Filesize
5.2MB

Download
memory/404-200-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/404-199-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/404-198-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/404-193-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1924-161-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/4636-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download