Analysis
-
max time kernel
5s -
max time network
45s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-07-2021 18:43
Static task
static1
Behavioral task
behavioral1
Sample
VineMEMZ-Original.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
VineMEMZ-Original.exe
Resource
win10v20210408
General
-
Target
VineMEMZ-Original.exe
-
Size
39.6MB
-
MD5
7640b072f643d0f684d0041a99dd5492
-
SHA1
4aa96bde37606abab714ae7b7e6e8dc52a5454b3
-
SHA256
8b52641761b0f144b26ca3b27f20d9ffffed1270d2c90b9ee5dfc60c7794e502
-
SHA512
2988e784e4cb9151709e3f6afe1c33a28f89a55d4f7d7d3e9f7002a466648e6961f9bc1346250becc30f2c363fe5bdce2d109cc7cd7ec3c709a171a7b9865e8b
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MEMZ.exepid process 1376 MEMZ.exe -
Loads dropped DLL 1 IoCs
Processes:
VineMEMZ-Original.exepid process 1092 VineMEMZ-Original.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
VineMEMZ-Original.exedescription pid process target process PID 1092 wrote to memory of 1376 1092 VineMEMZ-Original.exe MEMZ.exe PID 1092 wrote to memory of 1376 1092 VineMEMZ-Original.exe MEMZ.exe PID 1092 wrote to memory of 1376 1092 VineMEMZ-Original.exe MEMZ.exe PID 1092 wrote to memory of 1376 1092 VineMEMZ-Original.exe MEMZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe"C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeMD5
505bce79704649f8bb695b04ef01f430
SHA1787e714e8a0ddaaf096054dc1466540c47da273a
SHA256deffe4e7038a0828f4ef1e3a8d9e1963a06215b213d759d239ea7d38ef1f0f0b
SHA512f9eccd7c801cb411be765a04130c4d32234fff7b0b52cfa93064b61179598e8a729d7e6ad3e5dadb5fbc0a7741926fa55353d04ae04630cb0b35b6806f99e929
-
\Users\Admin\AppData\Local\Temp\MEMZ.exeMD5
505bce79704649f8bb695b04ef01f430
SHA1787e714e8a0ddaaf096054dc1466540c47da273a
SHA256deffe4e7038a0828f4ef1e3a8d9e1963a06215b213d759d239ea7d38ef1f0f0b
SHA512f9eccd7c801cb411be765a04130c4d32234fff7b0b52cfa93064b61179598e8a729d7e6ad3e5dadb5fbc0a7741926fa55353d04ae04630cb0b35b6806f99e929
-
memory/1092-59-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/1376-61-0x0000000000000000-mapping.dmp