Overview

overview

7

Static

static

MEMZ-master/MEMZ.exe

windows7_x64

6

MEMZ-master/MEMZ.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    152s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMZ-master/MEMZ.exe

  • Size

    16KB

  • MD5

    1d5ad9c8d3fee874d0feb8bfac220a11

  • SHA1

    ca6d3f7e6c784155f664a9179ca64e4034df9595

  • SHA256

    3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

  • SHA512

    c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1252
    • C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1316
    • C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1276
    • C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1732
    • C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1660
    • C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ-master\MEMZ.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:952
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://pcoptimizerpro.com/
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:460
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:460 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1040

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      b9f21d8db36e88831e5352bb82c438b3

      SHA1

      4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

      SHA256

      998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

      SHA512

      d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9150750b33caef8f1bcdd8189421e7f8

      SHA1

      c5632ace577109cf7f5f8881faecfffbca9e50c4

      SHA256

      0c81374808f2c0ee9174f902c2c54d57b5e211b618380b1a220ab834df499644

      SHA512

      ad45f29dfbdbf01dd9b0e84da0151c28456fa7a0fbed6977f92420a64ea6112e44d64537cedb8ffa8df61f65de5bae8c6709f413ad39717dfd5a14d6d2cba2c9

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9os4y76\imagestore.dat
      Filesize

      8KB

      MD5

      debf957ca39e43804cf9d798adfac3b8

      SHA1

      819d7d20daa257c5fc7e5352ee2bf715e36922ca

      SHA256

      11a72f187a588e4a5a310088e54ca3852ae089401e68aa960672b6cd2fcc1fc2

      SHA512

      fe134fa32d16c8b4292da3270715ab849de2542d2b522d7f82cd55fd88474de9a4dbdf3a63b79db37dd672dfb126272c6c3eb4522bb0ef4f9c9019a1ce6db8c3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8LPCM7R7.txt
      Filesize

      603B

      MD5

      14beabbc2549f26885e9cffa378aeca8

      SHA1

      8ce87da0567f2547a3cd0c0ee01e142913a6e27d

      SHA256

      79c0fe658aae5dd004bcb27ba444d688a8f73689e879c49669e8608ae6e334e1

      SHA512

      3e74045febd1e9b64d559d7a3efbd99881f97b3d692951f6909aaf0a35570d47237186a3fd9232b0cfb7f6e3ea5c6164d02eee2c7b2515ad079e6e3b5cfd9f35

      Download Submit
    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit
    • memory/952-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1096-54-0x0000000075B71000-0x0000000075B73000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1252-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1276-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1316-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1660-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1720-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-60-0x0000000000000000-mapping.dmp
      Download