Overview

overview

7

Static

static

MEMZ.exe

windows7_x64

6

MEMZ.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    173s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-05-2022 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMZ.exe

  • Size

    14KB

  • MD5

    19dbec50735b5f2a72d4199c4e184960

  • SHA1

    6fed7732f7cb6f59743795b2ab154a3676f4c822

  • SHA256

    a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

  • SHA512

    aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Score
6/10
bootkitgooglepersistencephishing

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Detected potential entity reuse from brand google.
    phishinggoogle
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:616
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1808
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1056
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:940
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:880
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:524
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+2+buy+weed
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1092
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:688

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      1e350c7a82120bd21a556e1268f13842

      SHA1

      e94ae45f7fd0d78c430661a8510df0ec21447a70

      SHA256

      01e25f6d3399db25232b4887a1c23cd20a4e1bc79fefd5842e61d977442de12a

      SHA512

      59c215aa8cac60c70b199193f9e54455011f17e2b5d2a92771e2ce8a355f16b335452d23fcb9271abdc5624a71d7172d5c828e465892d2a13db399d25af1070b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
      Filesize

      9KB

      MD5

      7fa8ea4341408f61b48da48fa07ed318

      SHA1

      518f42304785ff38c91a90b91ddbde6a16375d5b

      SHA256

      3fad5d57407402fb2529d4295d16e0233730c3474f4f3530869d728bbfa527e7

      SHA512

      70d9e09835c0a585cf9b89cea785049805805ef1d2f948ca604738448070e412ce03ec2907b3a990601803b5b6e125f03100109195a912a1816d14b8fe6d643d

      Download Submit
    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit
    • memory/524-67-0x0000000000000000-mapping.dmp
      Download
    • memory/616-55-0x0000000000000000-mapping.dmp
      Download
    • memory/880-62-0x0000000000000000-mapping.dmp
      Download
    • memory/940-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1056-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1244-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1256-54-0x0000000075951000-0x0000000075953000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1808-57-0x0000000000000000-mapping.dmp
      Download