8b52641761b0f144b26ca3b27f20d9ffffed1270d2c90b9ee5dfc60c7794e502

Analysis

max time kernel
5s
max time network
45s
platform
windows7_x64
resource
win7v20210410
submitted
11-07-2021 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VineMEMZ-Original.exe
Size

39.6MB
MD5

7640b072f643d0f684d0041a99dd5492
SHA1

4aa96bde37606abab714ae7b7e6e8dc52a5454b3
SHA256

8b52641761b0f144b26ca3b27f20d9ffffed1270d2c90b9ee5dfc60c7794e502
SHA512

2988e784e4cb9151709e3f6afe1c33a28f89a55d4f7d7d3e9f7002a466648e6961f9bc1346250becc30f2c363fe5bdce2d109cc7cd7ec3c709a171a7b9865e8b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MEMZ.exe

pid process

1376 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

VineMEMZ-Original.exe

pid process

1092 VineMEMZ-Original.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1376	MEMZ.exe

pid	process
1092	VineMEMZ-Original.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

VineMEMZ-Original.exe

description	pid	process	target process
PID 1092 wrote to memory of 1376	1092	VineMEMZ-Original.exe	MEMZ.exe
PID 1092 wrote to memory of 1376	1092	VineMEMZ-Original.exe	MEMZ.exe
PID 1092 wrote to memory of 1376	1092	VineMEMZ-Original.exe	MEMZ.exe
PID 1092 wrote to memory of 1376	1092	VineMEMZ-Original.exe	MEMZ.exe

C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe
"C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
2⤵
- Executes dropped EXE
PID:1376

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
MD5
505bce79704649f8bb695b04ef01f430

SHA1
787e714e8a0ddaaf096054dc1466540c47da273a

SHA256
deffe4e7038a0828f4ef1e3a8d9e1963a06215b213d759d239ea7d38ef1f0f0b

SHA512
f9eccd7c801cb411be765a04130c4d32234fff7b0b52cfa93064b61179598e8a729d7e6ad3e5dadb5fbc0a7741926fa55353d04ae04630cb0b35b6806f99e929

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
MD5
505bce79704649f8bb695b04ef01f430

SHA1
787e714e8a0ddaaf096054dc1466540c47da273a

SHA256
deffe4e7038a0828f4ef1e3a8d9e1963a06215b213d759d239ea7d38ef1f0f0b

SHA512
f9eccd7c801cb411be765a04130c4d32234fff7b0b52cfa93064b61179598e8a729d7e6ad3e5dadb5fbc0a7741926fa55353d04ae04630cb0b35b6806f99e929

Download Submit
memory/1092-59-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1376-61-0x0000000000000000-mapping.dmp

Download