a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

General

Target

MEMZ.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

MEMZ.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2712	MEMZ.exe
2144	MEMZ.exe
2712	MEMZ.exe
2144	MEMZ.exe
740	MEMZ.exe
2144	MEMZ.exe
2144	MEMZ.exe
740	MEMZ.exe
2712	MEMZ.exe
2712	MEMZ.exe
2144	MEMZ.exe
2712	MEMZ.exe
2144	MEMZ.exe
2712	MEMZ.exe
740	MEMZ.exe
1160	MEMZ.exe
740	MEMZ.exe
1160	MEMZ.exe
3128	MEMZ.exe
3128	MEMZ.exe
740	MEMZ.exe
3128	MEMZ.exe
740	MEMZ.exe
3128	MEMZ.exe
1160	MEMZ.exe
1160	MEMZ.exe
2712	MEMZ.exe
2712	MEMZ.exe
2144	MEMZ.exe
2144	MEMZ.exe
2712	MEMZ.exe
1160	MEMZ.exe
1160	MEMZ.exe
2712	MEMZ.exe
3128	MEMZ.exe
740	MEMZ.exe
3128	MEMZ.exe
740	MEMZ.exe
1160	MEMZ.exe
2712	MEMZ.exe
1160	MEMZ.exe
2712	MEMZ.exe
2144	MEMZ.exe
2144	MEMZ.exe
1160	MEMZ.exe
2144	MEMZ.exe
1160	MEMZ.exe
2144	MEMZ.exe
2712	MEMZ.exe
2712	MEMZ.exe
740	MEMZ.exe
740	MEMZ.exe
3128	MEMZ.exe
3128	MEMZ.exe
2144	MEMZ.exe
2144	MEMZ.exe
2144	MEMZ.exe
3128	MEMZ.exe
2144	MEMZ.exe
3128	MEMZ.exe
2712	MEMZ.exe
740	MEMZ.exe
2712	MEMZ.exe
740	MEMZ.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

MEMZ.exe

description	pid	process	target process
PID 4756 wrote to memory of 2712	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 2712	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 2712	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 2144	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 2144	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 2144	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 740	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 740	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 740	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 1160	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 1160	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 1160	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 3128	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 3128	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 3128	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 3704	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 3704	4756	MEMZ.exe	MEMZ.exe
PID 4756 wrote to memory of 3704	4756	MEMZ.exe	MEMZ.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
2⤵
PID:3704

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:4128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-132-0x0000000000000000-mapping.dmp

Download
memory/1160-133-0x0000000000000000-mapping.dmp

Download
memory/2144-131-0x0000000000000000-mapping.dmp

Download
memory/2712-130-0x0000000000000000-mapping.dmp

Download
memory/3128-134-0x0000000000000000-mapping.dmp

Download
memory/3704-135-0x0000000000000000-mapping.dmp

Download
memory/4128-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing