redline | 98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a

Analysis

max time kernel
139s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe
Size

724KB
MD5

e8034abd182e3e51f3dece8e49f37283
SHA1

94efd01ea4b8960ff59bded45925f5531c2793e3
SHA256

98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a
SHA512

57a92e39d2168a4d8a4960e0f3130a11579a907d7e483488e78ddbf31e8248753b64d4dca962f47a8bd5e5395d5c4ccaee2ca1ef6acc33bf4138dd12bb6ef314
SSDEEP

12288:pMr2y90HGIvLRU0pwRZlfuzBDvMP4PZcFiVhh0bDrh4u31:TykGIvLq0iZlg4PQcSGrd1

Score

10^/10

redline maxi shore evasion infostealer persistence spyware trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

shore

83.97.73.129:19068

Attributes

auth_value
3be47ce95ac58176e4771019f5179f79

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea0112024.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0112024.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0112024.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0112024.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0112024.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0112024.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0112024.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4769883.exemetado.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	d4769883.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metado.exe

Executes dropped EXE 12 IoCs

Processes:

v0311505.exev5487583.exev4448169.exea0112024.exeb0141133.exec8519615.exed4769883.exemetado.exee8196962.exemetado.exemetado.exemetado.exe

pid	process
1072	v0311505.exe
1176	v5487583.exe
1516	v4448169.exe
2916	a0112024.exe
1256	b0141133.exe
1084	c8519615.exe
4676	d4769883.exe
3472	metado.exe
4312	e8196962.exe
1980	metado.exe
4496	metado.exe
4880	metado.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3056 rundll32.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a0112024.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0112024.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3056	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0112024.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v5487583.exev4448169.exe98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exev0311505.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5487583.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5487583.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4448169.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4448169.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0311505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0311505.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b0141133.exee8196962.exe

description	pid	process	target process
PID 1256 set thread context of 2676	1256	b0141133.exe	AppLaunch.exe
PID 4312 set thread context of 376	4312	e8196962.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2548 1256 WerFault.exe b0141133.exe
1728 1084 WerFault.exe c8519615.exe
3756 4312 WerFault.exe e8196962.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

640 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

a0112024.exeAppLaunch.exeAppLaunch.exe

pid process

2916 a0112024.exe
2916 a0112024.exe
2676 AppLaunch.exe
2676 AppLaunch.exe
376 AppLaunch.exe
376 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a0112024.exeAppLaunch.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 2916 a0112024.exe
Token: SeDebugPrivilege 2676 AppLaunch.exe
Token: SeDebugPrivilege 376 AppLaunch.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d4769883.exe

pid process

4676 d4769883.exe

pid	pid_target	process	target process
2548	1256	WerFault.exe	b0141133.exe
1728	1084	WerFault.exe	c8519615.exe
3756	4312	WerFault.exe	e8196962.exe

pid	process
640	schtasks.exe

pid	process
2916	a0112024.exe
2916	a0112024.exe
2676	AppLaunch.exe
2676	AppLaunch.exe
376	AppLaunch.exe
376	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2916	a0112024.exe
Token: SeDebugPrivilege	2676	AppLaunch.exe
Token: SeDebugPrivilege	376	AppLaunch.exe

pid	process
4676	d4769883.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exev0311505.exev5487583.exev4448169.exeb0141133.exed4769883.exemetado.execmd.exee8196962.exe

description	pid	process	target process
PID 3568 wrote to memory of 1072	3568	98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe	v0311505.exe
PID 3568 wrote to memory of 1072	3568	98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe	v0311505.exe
PID 3568 wrote to memory of 1072	3568	98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe	v0311505.exe
PID 1072 wrote to memory of 1176	1072	v0311505.exe	v5487583.exe
PID 1072 wrote to memory of 1176	1072	v0311505.exe	v5487583.exe
PID 1072 wrote to memory of 1176	1072	v0311505.exe	v5487583.exe
PID 1176 wrote to memory of 1516	1176	v5487583.exe	v4448169.exe
PID 1176 wrote to memory of 1516	1176	v5487583.exe	v4448169.exe
PID 1176 wrote to memory of 1516	1176	v5487583.exe	v4448169.exe
PID 1516 wrote to memory of 2916	1516	v4448169.exe	a0112024.exe
PID 1516 wrote to memory of 2916	1516	v4448169.exe	a0112024.exe
PID 1516 wrote to memory of 1256	1516	v4448169.exe	b0141133.exe
PID 1516 wrote to memory of 1256	1516	v4448169.exe	b0141133.exe
PID 1516 wrote to memory of 1256	1516	v4448169.exe	b0141133.exe
PID 1256 wrote to memory of 2676	1256	b0141133.exe	AppLaunch.exe
PID 1256 wrote to memory of 2676	1256	b0141133.exe	AppLaunch.exe
PID 1256 wrote to memory of 2676	1256	b0141133.exe	AppLaunch.exe
PID 1256 wrote to memory of 2676	1256	b0141133.exe	AppLaunch.exe
PID 1256 wrote to memory of 2676	1256	b0141133.exe	AppLaunch.exe
PID 1176 wrote to memory of 1084	1176	v5487583.exe	c8519615.exe
PID 1176 wrote to memory of 1084	1176	v5487583.exe	c8519615.exe
PID 1176 wrote to memory of 1084	1176	v5487583.exe	c8519615.exe
PID 1072 wrote to memory of 4676	1072	v0311505.exe	d4769883.exe
PID 1072 wrote to memory of 4676	1072	v0311505.exe	d4769883.exe
PID 1072 wrote to memory of 4676	1072	v0311505.exe	d4769883.exe
PID 4676 wrote to memory of 3472	4676	d4769883.exe	metado.exe
PID 4676 wrote to memory of 3472	4676	d4769883.exe	metado.exe
PID 4676 wrote to memory of 3472	4676	d4769883.exe	metado.exe
PID 3568 wrote to memory of 4312	3568	98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe	e8196962.exe
PID 3568 wrote to memory of 4312	3568	98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe	e8196962.exe
PID 3568 wrote to memory of 4312	3568	98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe	e8196962.exe
PID 3472 wrote to memory of 640	3472	metado.exe	schtasks.exe
PID 3472 wrote to memory of 640	3472	metado.exe	schtasks.exe
PID 3472 wrote to memory of 640	3472	metado.exe	schtasks.exe
PID 3472 wrote to memory of 4704	3472	metado.exe	cmd.exe
PID 3472 wrote to memory of 4704	3472	metado.exe	cmd.exe
PID 3472 wrote to memory of 4704	3472	metado.exe	cmd.exe
PID 4704 wrote to memory of 3924	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 3924	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 3924	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 3184	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 3184	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 3184	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2184	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2184	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2184	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2312	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 2312	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 2312	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 3292	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 3292	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 3292	4704	cmd.exe	cacls.exe
PID 4312 wrote to memory of 376	4312	e8196962.exe	AppLaunch.exe
PID 4312 wrote to memory of 376	4312	e8196962.exe	AppLaunch.exe
PID 4312 wrote to memory of 376	4312	e8196962.exe	AppLaunch.exe
PID 4312 wrote to memory of 376	4312	e8196962.exe	AppLaunch.exe
PID 4312 wrote to memory of 376	4312	e8196962.exe	AppLaunch.exe
PID 4704 wrote to memory of 2300	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2300	4704	cmd.exe	cacls.exe
PID 4704 wrote to memory of 2300	4704	cmd.exe	cacls.exe
PID 3472 wrote to memory of 3056	3472	metado.exe	rundll32.exe
PID 3472 wrote to memory of 3056	3472	metado.exe	rundll32.exe
PID 3472 wrote to memory of 3056	3472	metado.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe
"C:\Users\Admin\AppData\Local\Temp\98c5173f646b2657e950bf1a308dd5c3c2a55eb80e2d95855d2c5261382f236a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0311505.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0311505.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5487583.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5487583.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4448169.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4448169.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0112024.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0112024.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0141133.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0141133.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 580
6⤵
- Program crash
PID:2548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8519615.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8519615.exe
4⤵
- Executes dropped EXE
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 928
5⤵
- Program crash
PID:1728

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4769883.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4769883.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4676

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F
5⤵
- Creates scheduled task(s)
PID:640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3924

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:N"
6⤵
PID:3184

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:R" /E
6⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2312

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:3292

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:2300

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:3056

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8196962.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8196962.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 148
3⤵
- Program crash
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1256 -ip 1256
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1084 -ip 1084
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4312 -ip 4312
1⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8196962.exe
Filesize
262KB

MD5
b1b2f8233f5ff7401133afaa1de3a779

SHA1
7af77775ea110343ec851cdf9ad47e7131e347ab

SHA256
57b3dece3b8a567b6092f10d0985da8575199316a366c2a10bbb3a84b442aa58

SHA512
3fad0fe2eaf2cc169bf18bc254c08a03c5a6731b65f8948a5123c3f0019e76292de2d541fff2cec7996b5ce71a5c64b7be6b48a526a58d98989cd25065683bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8196962.exe
Filesize
262KB

MD5
b1b2f8233f5ff7401133afaa1de3a779

SHA1
7af77775ea110343ec851cdf9ad47e7131e347ab

SHA256
57b3dece3b8a567b6092f10d0985da8575199316a366c2a10bbb3a84b442aa58

SHA512
3fad0fe2eaf2cc169bf18bc254c08a03c5a6731b65f8948a5123c3f0019e76292de2d541fff2cec7996b5ce71a5c64b7be6b48a526a58d98989cd25065683bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0311505.exe
Filesize
523KB

MD5
5fd066b738a6408d1e645c017b649788

SHA1
a41da5c1905fb58e24a1dc73514092e4b8c59e41

SHA256
caf661d6a9c78640a14a19a7f1aa6389185c2a577603a7ac7333e2dd9b409503

SHA512
bd8ee38f93674857b3697e569dba25027cc0c3fff2cec1f8d48470aa9f6cb32a9b9ffb5941c030e8509dd9d8b345399f450d1d4cc74a6dcf7f18abbfc01f6699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0311505.exe
Filesize
523KB

MD5
5fd066b738a6408d1e645c017b649788

SHA1
a41da5c1905fb58e24a1dc73514092e4b8c59e41

SHA256
caf661d6a9c78640a14a19a7f1aa6389185c2a577603a7ac7333e2dd9b409503

SHA512
bd8ee38f93674857b3697e569dba25027cc0c3fff2cec1f8d48470aa9f6cb32a9b9ffb5941c030e8509dd9d8b345399f450d1d4cc74a6dcf7f18abbfc01f6699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4769883.exe
Filesize
205KB

MD5
01b31bc554942d239388dba1be86a3fa

SHA1
5ebef1cbacb27420edc3aabbe4e050ff6d70bcc7

SHA256
bbd641f898b7ea7990e34dd3abbe23edd75efeea93c65ad3a85fe5c7fb4a0bbb

SHA512
186ac70fd2252bd8b415c34ba448ea627f3b70e87f4347fb0347e6be88e05ca4430d02aa0ccf22ba1576de59893d7504c7d21bc9b129512f4421e4401502ada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4769883.exe
Filesize
205KB

MD5
01b31bc554942d239388dba1be86a3fa

SHA1
5ebef1cbacb27420edc3aabbe4e050ff6d70bcc7

SHA256
bbd641f898b7ea7990e34dd3abbe23edd75efeea93c65ad3a85fe5c7fb4a0bbb

SHA512
186ac70fd2252bd8b415c34ba448ea627f3b70e87f4347fb0347e6be88e05ca4430d02aa0ccf22ba1576de59893d7504c7d21bc9b129512f4421e4401502ada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5487583.exe
Filesize
351KB

MD5
dedf1c825b34fcf4600b0b3e9367cd93

SHA1
81de19a2a580e242767589aa9e72c18225256480

SHA256
a92e006d387c947118493db4a307d6a60fda9819ebb640ce1a3532f1021738f2

SHA512
b4fc36aa57846bab7835fc012220dca1933570745e708a700a6e567cfdf9d554ee12b29d47799a77b26103a0e3195a02c188b4bdfe30f585be5624d19c26a59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5487583.exe
Filesize
351KB

MD5
dedf1c825b34fcf4600b0b3e9367cd93

SHA1
81de19a2a580e242767589aa9e72c18225256480

SHA256
a92e006d387c947118493db4a307d6a60fda9819ebb640ce1a3532f1021738f2

SHA512
b4fc36aa57846bab7835fc012220dca1933570745e708a700a6e567cfdf9d554ee12b29d47799a77b26103a0e3195a02c188b4bdfe30f585be5624d19c26a59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8519615.exe
Filesize
172KB

MD5
509c2aa0afc4f1946ee36d14946d5be4

SHA1
8507d1983b0d3615140171740a7d66490bd1d310

SHA256
972c0dd330ee35bddb0ed4259e06d8250371944d52669ea866601332cd776cf8

SHA512
7e63c2072deb060fbf6a8734f0a5d417460fe8f0dbc77fc676973be1d664007fe3bb0137807c381a8938420224fcf9a63a2ce901951f7058c04e2012fb06064e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8519615.exe
Filesize
172KB

MD5
509c2aa0afc4f1946ee36d14946d5be4

SHA1
8507d1983b0d3615140171740a7d66490bd1d310

SHA256
972c0dd330ee35bddb0ed4259e06d8250371944d52669ea866601332cd776cf8

SHA512
7e63c2072deb060fbf6a8734f0a5d417460fe8f0dbc77fc676973be1d664007fe3bb0137807c381a8938420224fcf9a63a2ce901951f7058c04e2012fb06064e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4448169.exe
Filesize
196KB

MD5
3cd5b04435587816713ab954257bf37a

SHA1
8e9c90c1ffeeaa5fe6fc833763770cfc408ffc10

SHA256
8649e18db96f6ea0cc63faf959e246a852f75ed02bbca0430e514dbd84f12418

SHA512
94f15cb6d3fcf2f6159a60fd360427a748ebab91e727bc6dced40b28dd99955e2e1eb680392394082da5e2306681a90702a40611cf31531d09cad066625ba473

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4448169.exe
Filesize
196KB

MD5
3cd5b04435587816713ab954257bf37a

SHA1
8e9c90c1ffeeaa5fe6fc833763770cfc408ffc10

SHA256
8649e18db96f6ea0cc63faf959e246a852f75ed02bbca0430e514dbd84f12418

SHA512
94f15cb6d3fcf2f6159a60fd360427a748ebab91e727bc6dced40b28dd99955e2e1eb680392394082da5e2306681a90702a40611cf31531d09cad066625ba473

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0112024.exe
Filesize
11KB

MD5
4a1d105aeb13dfd1d708aca14eaa6a27

SHA1
5cf7fbb733122a2dc5703aec669d8984e4b39037

SHA256
9401af04463ec437a18cab091e4611ca085448c882f002f01d96c41c9e807512

SHA512
cd48b32b6802fc5d985f25b21ce07a65ff3f4dfe07a618a8c39f249801de3b62c5d5d80b60e50a2ac26031ea877155836fb70d122a2bd4a6d2b08e67fa2592f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0112024.exe
Filesize
11KB

MD5
4a1d105aeb13dfd1d708aca14eaa6a27

SHA1
5cf7fbb733122a2dc5703aec669d8984e4b39037

SHA256
9401af04463ec437a18cab091e4611ca085448c882f002f01d96c41c9e807512

SHA512
cd48b32b6802fc5d985f25b21ce07a65ff3f4dfe07a618a8c39f249801de3b62c5d5d80b60e50a2ac26031ea877155836fb70d122a2bd4a6d2b08e67fa2592f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0141133.exe
Filesize
100KB

MD5
2f4f763cfecf33da58b5deb6df5557c5

SHA1
c314bf7968e6abe197e629d8ac90e1dccfe35138

SHA256
136c86d64c9c3e6f75f017486f78167874bfb2a3338b8b0641b6405db898474b

SHA512
e2c978d1a892abec6dab43c30bf1da42184cb9ca021b46bf3190e289ea02aee223d4cfc764a765755f5802713c8db0fcf04b9fccb0cd3d487a8ae0e8dd1c0a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0141133.exe
Filesize
100KB

MD5
2f4f763cfecf33da58b5deb6df5557c5

SHA1
c314bf7968e6abe197e629d8ac90e1dccfe35138

SHA256
136c86d64c9c3e6f75f017486f78167874bfb2a3338b8b0641b6405db898474b

SHA512
e2c978d1a892abec6dab43c30bf1da42184cb9ca021b46bf3190e289ea02aee223d4cfc764a765755f5802713c8db0fcf04b9fccb0cd3d487a8ae0e8dd1c0a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
01b31bc554942d239388dba1be86a3fa

SHA1
5ebef1cbacb27420edc3aabbe4e050ff6d70bcc7

SHA256
bbd641f898b7ea7990e34dd3abbe23edd75efeea93c65ad3a85fe5c7fb4a0bbb

SHA512
186ac70fd2252bd8b415c34ba448ea627f3b70e87f4347fb0347e6be88e05ca4430d02aa0ccf22ba1576de59893d7504c7d21bc9b129512f4421e4401502ada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
01b31bc554942d239388dba1be86a3fa

SHA1
5ebef1cbacb27420edc3aabbe4e050ff6d70bcc7

SHA256
bbd641f898b7ea7990e34dd3abbe23edd75efeea93c65ad3a85fe5c7fb4a0bbb

SHA512
186ac70fd2252bd8b415c34ba448ea627f3b70e87f4347fb0347e6be88e05ca4430d02aa0ccf22ba1576de59893d7504c7d21bc9b129512f4421e4401502ada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
01b31bc554942d239388dba1be86a3fa

SHA1
5ebef1cbacb27420edc3aabbe4e050ff6d70bcc7

SHA256
bbd641f898b7ea7990e34dd3abbe23edd75efeea93c65ad3a85fe5c7fb4a0bbb

SHA512
186ac70fd2252bd8b415c34ba448ea627f3b70e87f4347fb0347e6be88e05ca4430d02aa0ccf22ba1576de59893d7504c7d21bc9b129512f4421e4401502ada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
01b31bc554942d239388dba1be86a3fa

SHA1
5ebef1cbacb27420edc3aabbe4e050ff6d70bcc7

SHA256
bbd641f898b7ea7990e34dd3abbe23edd75efeea93c65ad3a85fe5c7fb4a0bbb

SHA512
186ac70fd2252bd8b415c34ba448ea627f3b70e87f4347fb0347e6be88e05ca4430d02aa0ccf22ba1576de59893d7504c7d21bc9b129512f4421e4401502ada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
01b31bc554942d239388dba1be86a3fa

SHA1
5ebef1cbacb27420edc3aabbe4e050ff6d70bcc7

SHA256
bbd641f898b7ea7990e34dd3abbe23edd75efeea93c65ad3a85fe5c7fb4a0bbb

SHA512
186ac70fd2252bd8b415c34ba448ea627f3b70e87f4347fb0347e6be88e05ca4430d02aa0ccf22ba1576de59893d7504c7d21bc9b129512f4421e4401502ada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
Filesize
205KB

MD5
01b31bc554942d239388dba1be86a3fa

SHA1
5ebef1cbacb27420edc3aabbe4e050ff6d70bcc7

SHA256
bbd641f898b7ea7990e34dd3abbe23edd75efeea93c65ad3a85fe5c7fb4a0bbb

SHA512
186ac70fd2252bd8b415c34ba448ea627f3b70e87f4347fb0347e6be88e05ca4430d02aa0ccf22ba1576de59893d7504c7d21bc9b129512f4421e4401502ada5

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/376-209-0x0000000005B50000-0x0000000005BA0000-memory.dmp

Filesize
320KB

Download
memory/376-202-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/376-205-0x0000000004EF0000-0x0000000004F66000-memory.dmp

Filesize
472KB

Download
memory/376-206-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/376-207-0x00000000062A0000-0x0000000006844000-memory.dmp

Filesize
5.6MB

Download
memory/376-208-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/376-201-0x0000000004C00000-0x0000000004C3C000-memory.dmp

Filesize
240KB

Download
memory/376-210-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/376-211-0x00000000060C0000-0x0000000006282000-memory.dmp

Filesize
1.8MB

Download
memory/376-212-0x0000000008470000-0x000000000899C000-memory.dmp

Filesize
5.2MB

Download
memory/376-200-0x0000000004A80000-0x0000000004A92000-memory.dmp

Filesize
72KB

Download
memory/376-199-0x0000000004CD0000-0x0000000004DDA000-memory.dmp

Filesize
1.0MB

Download
memory/376-198-0x00000000051E0000-0x00000000057F8000-memory.dmp

Filesize
6.1MB

Download
memory/376-193-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/1084-175-0x0000000000110000-0x0000000000140000-memory.dmp

Filesize
192KB

Download
memory/2676-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-161-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download