redline | 7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5

Analysis

max time kernel
101s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe
Size

723KB
MD5

1c77561a6f8095c0e52361f25779e739
SHA1

1efc3fbcdf1c2713ae1f343ad9faf98124e08c14
SHA256

7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5
SHA512

064fa0349eacd37132669c9f7cdba88894ab31298a88aaef9069175b20bad124f1d79ceaea5e5aa67c9bc434fdd7133d9fad75eb7c08e09bf4d98f641c8b8244
SSDEEP

12288:BMray90iFTSGC3MfYY+TWNVZHDtswJdMUyiGSov8iewbjz8rIWgM772G2:ryuQfHuWVZHGqdRlgbj1f

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea2440946.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2440946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2440946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2440946.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2440946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2440946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2440946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d9705859.exemetado.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	d9705859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metado.exe

Executes dropped EXE 11 IoCs

Processes:

v1387943.exev2915464.exev2680290.exea2440946.exeb3975171.exec7031183.exed9705859.exemetado.exee5966870.exemetado.exemetado.exe

pid	process
5060	v1387943.exe
4792	v2915464.exe
3548	v2680290.exe
444	a2440946.exe
2300	b3975171.exe
1900	c7031183.exe
3396	d9705859.exe
2672	metado.exe
1748	e5966870.exe
1276	metado.exe
4688	metado.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1908 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a2440946.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2440946.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1908	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2440946.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v1387943.exev2915464.exev2680290.exe7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1387943.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2915464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2915464.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2680290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2680290.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1387943.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b3975171.exee5966870.exe

description	pid	process	target process
PID 2300 set thread context of 1200	2300	b3975171.exe	AppLaunch.exe
PID 1748 set thread context of 3956	1748	e5966870.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4260 2300 WerFault.exe b3975171.exe
4668 1748 WerFault.exe e5966870.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

620 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a2440946.exeAppLaunch.exec7031183.exeAppLaunch.exe

pid process

444 a2440946.exe
444 a2440946.exe
1200 AppLaunch.exe
1200 AppLaunch.exe
1900 c7031183.exe
1900 c7031183.exe
3956 AppLaunch.exe
3956 AppLaunch.exe

pid	pid_target	process	target process
4260	2300	WerFault.exe	b3975171.exe
4668	1748	WerFault.exe	e5966870.exe

pid	process
620	schtasks.exe

pid	process
444	a2440946.exe
444	a2440946.exe
1200	AppLaunch.exe
1200	AppLaunch.exe
1900	c7031183.exe
1900	c7031183.exe
3956	AppLaunch.exe
3956	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a2440946.exeAppLaunch.exec7031183.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	444	a2440946.exe
Token: SeDebugPrivilege	1200	AppLaunch.exe
Token: SeDebugPrivilege	1900	c7031183.exe
Token: SeDebugPrivilege	3956	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d9705859.exe

pid process

3396 d9705859.exe

pid	process
3396	d9705859.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exev1387943.exev2915464.exev2680290.exeb3975171.exed9705859.exemetado.execmd.exee5966870.exe

description	pid	process	target process
PID 2424 wrote to memory of 5060	2424	7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe	v1387943.exe
PID 2424 wrote to memory of 5060	2424	7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe	v1387943.exe
PID 2424 wrote to memory of 5060	2424	7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe	v1387943.exe
PID 5060 wrote to memory of 4792	5060	v1387943.exe	v2915464.exe
PID 5060 wrote to memory of 4792	5060	v1387943.exe	v2915464.exe
PID 5060 wrote to memory of 4792	5060	v1387943.exe	v2915464.exe
PID 4792 wrote to memory of 3548	4792	v2915464.exe	v2680290.exe
PID 4792 wrote to memory of 3548	4792	v2915464.exe	v2680290.exe
PID 4792 wrote to memory of 3548	4792	v2915464.exe	v2680290.exe
PID 3548 wrote to memory of 444	3548	v2680290.exe	a2440946.exe
PID 3548 wrote to memory of 444	3548	v2680290.exe	a2440946.exe
PID 3548 wrote to memory of 2300	3548	v2680290.exe	b3975171.exe
PID 3548 wrote to memory of 2300	3548	v2680290.exe	b3975171.exe
PID 3548 wrote to memory of 2300	3548	v2680290.exe	b3975171.exe
PID 2300 wrote to memory of 1200	2300	b3975171.exe	AppLaunch.exe
PID 2300 wrote to memory of 1200	2300	b3975171.exe	AppLaunch.exe
PID 2300 wrote to memory of 1200	2300	b3975171.exe	AppLaunch.exe
PID 2300 wrote to memory of 1200	2300	b3975171.exe	AppLaunch.exe
PID 2300 wrote to memory of 1200	2300	b3975171.exe	AppLaunch.exe
PID 4792 wrote to memory of 1900	4792	v2915464.exe	c7031183.exe
PID 4792 wrote to memory of 1900	4792	v2915464.exe	c7031183.exe
PID 4792 wrote to memory of 1900	4792	v2915464.exe	c7031183.exe
PID 5060 wrote to memory of 3396	5060	v1387943.exe	d9705859.exe
PID 5060 wrote to memory of 3396	5060	v1387943.exe	d9705859.exe
PID 5060 wrote to memory of 3396	5060	v1387943.exe	d9705859.exe
PID 3396 wrote to memory of 2672	3396	d9705859.exe	metado.exe
PID 3396 wrote to memory of 2672	3396	d9705859.exe	metado.exe
PID 3396 wrote to memory of 2672	3396	d9705859.exe	metado.exe
PID 2424 wrote to memory of 1748	2424	7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe	e5966870.exe
PID 2424 wrote to memory of 1748	2424	7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe	e5966870.exe
PID 2424 wrote to memory of 1748	2424	7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe	e5966870.exe
PID 2672 wrote to memory of 620	2672	metado.exe	schtasks.exe
PID 2672 wrote to memory of 620	2672	metado.exe	schtasks.exe
PID 2672 wrote to memory of 620	2672	metado.exe	schtasks.exe
PID 2672 wrote to memory of 3048	2672	metado.exe	cmd.exe
PID 2672 wrote to memory of 3048	2672	metado.exe	cmd.exe
PID 2672 wrote to memory of 3048	2672	metado.exe	cmd.exe
PID 3048 wrote to memory of 3788	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 3788	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 3788	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 5012	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 5012	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 5012	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 4352	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 4352	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 4352	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 5116	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 5116	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 5116	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 3076	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 3076	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 3076	3048	cmd.exe	cacls.exe
PID 1748 wrote to memory of 3956	1748	e5966870.exe	AppLaunch.exe
PID 1748 wrote to memory of 3956	1748	e5966870.exe	AppLaunch.exe
PID 1748 wrote to memory of 3956	1748	e5966870.exe	AppLaunch.exe
PID 1748 wrote to memory of 3956	1748	e5966870.exe	AppLaunch.exe
PID 1748 wrote to memory of 3956	1748	e5966870.exe	AppLaunch.exe
PID 3048 wrote to memory of 4192	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 4192	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 4192	3048	cmd.exe	cacls.exe
PID 2672 wrote to memory of 1908	2672	metado.exe	rundll32.exe
PID 2672 wrote to memory of 1908	2672	metado.exe	rundll32.exe
PID 2672 wrote to memory of 1908	2672	metado.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe
"C:\Users\Admin\AppData\Local\Temp\7d2583437fb1a0405f85c0b2ecf2e57588efd4ee9b1aae95192ab7159f269cc5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1387943.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1387943.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2915464.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2915464.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2680290.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2680290.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2440946.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2440946.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3975171.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3975171.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 136
6⤵
- Program crash
PID:4260

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7031183.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7031183.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9705859.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9705859.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F
5⤵
- Creates scheduled task(s)
PID:620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3788

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:N"
6⤵
PID:5012

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:R" /E
6⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:5116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:3076

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:4192

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:1908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5966870.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5966870.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 140
3⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2300 -ip 2300
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1748 -ip 1748
1⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
1⤵
- Executes dropped EXE
PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5966870.exe

Filesize
262KB

MD5
2934a569bc9214a04b446fa547d6fd2c

SHA1
2abd39378b6124bb1bd9e5393776a3f00a7e4fdb

SHA256
9a24fb2bfdc3c96b0a93f10ecd96c5eff8ae0c084568c1e2d4eb37c8fe29cba2

SHA512
946f9b5682656955c5c0bb8ce5e25546db9d7423879e867c9ef8782883269e53235c2e9626975430de0e873aa8458d4cf77ffc93b17eeff13f56e80b14fc66aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5966870.exe

Filesize
262KB

MD5
2934a569bc9214a04b446fa547d6fd2c

SHA1
2abd39378b6124bb1bd9e5393776a3f00a7e4fdb

SHA256
9a24fb2bfdc3c96b0a93f10ecd96c5eff8ae0c084568c1e2d4eb37c8fe29cba2

SHA512
946f9b5682656955c5c0bb8ce5e25546db9d7423879e867c9ef8782883269e53235c2e9626975430de0e873aa8458d4cf77ffc93b17eeff13f56e80b14fc66aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1387943.exe

Filesize
523KB

MD5
d5caebe4d9086bf0884bcf4417a20f59

SHA1
6a8a0abc622bac13fcb37c03387b7611820e8e1f

SHA256
5034e2dc70d3be73788c59e8fe73261213811687b0577b6bda382e588a004c88

SHA512
69a3da90a8323b4ab50ec2b90fb544ed6887127e83a26f99a806a9c722403fc1200415553fb8024ed189b112301f8ea07eff26afdc0efaf7ff7b1a7c5a013f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1387943.exe

Filesize
523KB

MD5
d5caebe4d9086bf0884bcf4417a20f59

SHA1
6a8a0abc622bac13fcb37c03387b7611820e8e1f

SHA256
5034e2dc70d3be73788c59e8fe73261213811687b0577b6bda382e588a004c88

SHA512
69a3da90a8323b4ab50ec2b90fb544ed6887127e83a26f99a806a9c722403fc1200415553fb8024ed189b112301f8ea07eff26afdc0efaf7ff7b1a7c5a013f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9705859.exe

Filesize
206KB

MD5
ef9ae70de25136fc146c365b3e5d4ec7

SHA1
785263f290d01a3db65de354bb75c37f49206347

SHA256
4206d18ceed7a47e55745927802a4d977115e5c5ef45b5c938c9cc8be509a51a

SHA512
b3ece0ebfff4f49d40e02d971b1c88302127f151414ed46c1c531abdf328dca758367573da0e7a63649c570f30bad229c5dc7ddf3eca961a5b49a6405187390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9705859.exe

Filesize
206KB

MD5
ef9ae70de25136fc146c365b3e5d4ec7

SHA1
785263f290d01a3db65de354bb75c37f49206347

SHA256
4206d18ceed7a47e55745927802a4d977115e5c5ef45b5c938c9cc8be509a51a

SHA512
b3ece0ebfff4f49d40e02d971b1c88302127f151414ed46c1c531abdf328dca758367573da0e7a63649c570f30bad229c5dc7ddf3eca961a5b49a6405187390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2915464.exe

Filesize
351KB

MD5
9d0bb31200ad06144e4974d5dc5ac3e7

SHA1
a005d56e47e23b4b81d4d3bc77950d44147d1b85

SHA256
ec7c740acf79694337f114153d5286fd66d92c43a5b9580fd0b1f8d87b7e6f64

SHA512
c222efd3f03a08708025e34fb9dd062fe8782314009cb8c6c22fbdd994ad8cdf6a5c59358f5e13682cea8b3fe99c9e6ad737865156141f45cc1bcb6bca190d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2915464.exe

Filesize
351KB

MD5
9d0bb31200ad06144e4974d5dc5ac3e7

SHA1
a005d56e47e23b4b81d4d3bc77950d44147d1b85

SHA256
ec7c740acf79694337f114153d5286fd66d92c43a5b9580fd0b1f8d87b7e6f64

SHA512
c222efd3f03a08708025e34fb9dd062fe8782314009cb8c6c22fbdd994ad8cdf6a5c59358f5e13682cea8b3fe99c9e6ad737865156141f45cc1bcb6bca190d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7031183.exe

Filesize
172KB

MD5
2e8eb606c558d410b5ff9fb37ab6a76d

SHA1
28a09e542b41ba574fd340b9908c2664b854e734

SHA256
961b228319d10b598fe0889f428e2abd414c0ca07dd98460be9417bf27195a94

SHA512
7bac0d0bffa21131e4e96f08961e6718ed86066e078d3926fbaa9afeb90bdf8af95251f6823c2a4fd686300a11a70b7c14e84d883c6e3d707a8c304b51ddad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7031183.exe

Filesize
172KB

MD5
2e8eb606c558d410b5ff9fb37ab6a76d

SHA1
28a09e542b41ba574fd340b9908c2664b854e734

SHA256
961b228319d10b598fe0889f428e2abd414c0ca07dd98460be9417bf27195a94

SHA512
7bac0d0bffa21131e4e96f08961e6718ed86066e078d3926fbaa9afeb90bdf8af95251f6823c2a4fd686300a11a70b7c14e84d883c6e3d707a8c304b51ddad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2680290.exe

Filesize
196KB

MD5
75ef1b672173b699650515113838933d

SHA1
76d83d0de4b5d0cedca7ecb1c3981cafc090f27f

SHA256
9fcd7daf2ee53b056b07b8f6c627bbebb83215505e582517df946f3717e951f1

SHA512
ef0667c79a7d123a2bdb1c369c1482bf34d072287bd15d32c9e508c4ea5f645140a8238601ff425f4e211e0b825161f8a573f3bd238519f71c9b8aa121d2024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2680290.exe

Filesize
196KB

MD5
75ef1b672173b699650515113838933d

SHA1
76d83d0de4b5d0cedca7ecb1c3981cafc090f27f

SHA256
9fcd7daf2ee53b056b07b8f6c627bbebb83215505e582517df946f3717e951f1

SHA512
ef0667c79a7d123a2bdb1c369c1482bf34d072287bd15d32c9e508c4ea5f645140a8238601ff425f4e211e0b825161f8a573f3bd238519f71c9b8aa121d2024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2440946.exe

Filesize
12KB

MD5
380cf683b6ce839b6007431668e8842d

SHA1
666e989816462e16b6171e1ab8e6a746503a1501

SHA256
247bf21a7312bb2f96150bf5cbc296aad794dff6d647a0aabe0e3b9c7146880d

SHA512
1c2e68f7a193f15907d21bf4187c6be041134211d96ca067a80a4c8ec008c0cd6315459ca59f0eaa1062f3ebcc71eeb98e7bedf06d576c79b4f537ee3f45b2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2440946.exe

Filesize
12KB

MD5
380cf683b6ce839b6007431668e8842d

SHA1
666e989816462e16b6171e1ab8e6a746503a1501

SHA256
247bf21a7312bb2f96150bf5cbc296aad794dff6d647a0aabe0e3b9c7146880d

SHA512
1c2e68f7a193f15907d21bf4187c6be041134211d96ca067a80a4c8ec008c0cd6315459ca59f0eaa1062f3ebcc71eeb98e7bedf06d576c79b4f537ee3f45b2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3975171.exe

Filesize
101KB

MD5
1a2848a4f77d36819549aaed757b323a

SHA1
b0e68d2907d63930838fed9def78f486ed5a92b8

SHA256
c81c6c4c09e7f15ecaf6bbc282054fd82577d8f6621f281bf79ecef9c703e824

SHA512
b0c4224f54e274090cc2d3d8bb0bb8b820550dd5742a08e4bb8954b95fdd379344c5ae28a210b18566bfc67bbb1f8324a79750f97375a3d95b98b475f5772cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3975171.exe

Filesize
101KB

MD5
1a2848a4f77d36819549aaed757b323a

SHA1
b0e68d2907d63930838fed9def78f486ed5a92b8

SHA256
c81c6c4c09e7f15ecaf6bbc282054fd82577d8f6621f281bf79ecef9c703e824

SHA512
b0c4224f54e274090cc2d3d8bb0bb8b820550dd5742a08e4bb8954b95fdd379344c5ae28a210b18566bfc67bbb1f8324a79750f97375a3d95b98b475f5772cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
ef9ae70de25136fc146c365b3e5d4ec7

SHA1
785263f290d01a3db65de354bb75c37f49206347

SHA256
4206d18ceed7a47e55745927802a4d977115e5c5ef45b5c938c9cc8be509a51a

SHA512
b3ece0ebfff4f49d40e02d971b1c88302127f151414ed46c1c531abdf328dca758367573da0e7a63649c570f30bad229c5dc7ddf3eca961a5b49a6405187390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
ef9ae70de25136fc146c365b3e5d4ec7

SHA1
785263f290d01a3db65de354bb75c37f49206347

SHA256
4206d18ceed7a47e55745927802a4d977115e5c5ef45b5c938c9cc8be509a51a

SHA512
b3ece0ebfff4f49d40e02d971b1c88302127f151414ed46c1c531abdf328dca758367573da0e7a63649c570f30bad229c5dc7ddf3eca961a5b49a6405187390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
ef9ae70de25136fc146c365b3e5d4ec7

SHA1
785263f290d01a3db65de354bb75c37f49206347

SHA256
4206d18ceed7a47e55745927802a4d977115e5c5ef45b5c938c9cc8be509a51a

SHA512
b3ece0ebfff4f49d40e02d971b1c88302127f151414ed46c1c531abdf328dca758367573da0e7a63649c570f30bad229c5dc7ddf3eca961a5b49a6405187390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
ef9ae70de25136fc146c365b3e5d4ec7

SHA1
785263f290d01a3db65de354bb75c37f49206347

SHA256
4206d18ceed7a47e55745927802a4d977115e5c5ef45b5c938c9cc8be509a51a

SHA512
b3ece0ebfff4f49d40e02d971b1c88302127f151414ed46c1c531abdf328dca758367573da0e7a63649c570f30bad229c5dc7ddf3eca961a5b49a6405187390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe

Filesize
206KB

MD5
ef9ae70de25136fc146c365b3e5d4ec7

SHA1
785263f290d01a3db65de354bb75c37f49206347

SHA256
4206d18ceed7a47e55745927802a4d977115e5c5ef45b5c938c9cc8be509a51a

SHA512
b3ece0ebfff4f49d40e02d971b1c88302127f151414ed46c1c531abdf328dca758367573da0e7a63649c570f30bad229c5dc7ddf3eca961a5b49a6405187390a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
547bae937be965d63f61d89e8eafb4a1

SHA1
85466c95625bcbb7f68aa89a367149d35f80e1fa

SHA256
015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5

SHA512
1869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/444-161-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/1200-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1900-181-0x000000000A3B0000-0x000000000A426000-memory.dmp

Filesize
472KB

Download
memory/1900-182-0x000000000AB40000-0x000000000ABD2000-memory.dmp

Filesize
584KB

Download
memory/1900-187-0x000000000BE40000-0x000000000C36C000-memory.dmp

Filesize
5.2MB

Download
memory/1900-186-0x000000000B740000-0x000000000B902000-memory.dmp

Filesize
1.8MB

Download
memory/1900-189-0x000000000B100000-0x000000000B150000-memory.dmp

Filesize
320KB

Download
memory/1900-183-0x000000000B190000-0x000000000B734000-memory.dmp

Filesize
5.6MB

Download
memory/1900-188-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/1900-175-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/1900-184-0x000000000ABE0000-0x000000000AC46000-memory.dmp

Filesize
408KB

Download
memory/1900-176-0x000000000A480000-0x000000000AA98000-memory.dmp

Filesize
6.1MB

Download
memory/1900-180-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/1900-179-0x0000000009FA0000-0x0000000009FDC000-memory.dmp

Filesize
240KB

Download
memory/1900-178-0x0000000009F40000-0x0000000009F52000-memory.dmp

Filesize
72KB

Download
memory/1900-177-0x000000000A000000-0x000000000A10A000-memory.dmp

Filesize
1.0MB

Download
memory/3956-214-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/3956-208-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download