3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Analysis

max time kernel
121s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fbed3c45-6d5c-4b11-94d9-3f8b21185881.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230111132115.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	MEMZ.exe
2648	MEMZ.exe
2648	MEMZ.exe
2648	MEMZ.exe
2988	MEMZ.exe
2988	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
2648	MEMZ.exe
2648	MEMZ.exe
2988	MEMZ.exe
2988	MEMZ.exe
2988	MEMZ.exe
2988	MEMZ.exe
2648	MEMZ.exe
2648	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
2032	MEMZ.exe
2032	MEMZ.exe
2648	MEMZ.exe
2648	MEMZ.exe
2988	MEMZ.exe
2988	MEMZ.exe
3992	MEMZ.exe
3992	MEMZ.exe
2648	MEMZ.exe
2648	MEMZ.exe
2032	MEMZ.exe
1420	MEMZ.exe
2032	MEMZ.exe
1420	MEMZ.exe
2988	MEMZ.exe
2988	MEMZ.exe
2648	MEMZ.exe
2648	MEMZ.exe
3992	MEMZ.exe
3992	MEMZ.exe
2648	MEMZ.exe
2988	MEMZ.exe
2648	MEMZ.exe
2988	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
2032	MEMZ.exe
2032	MEMZ.exe
2988	MEMZ.exe
2648	MEMZ.exe
2648	MEMZ.exe
2988	MEMZ.exe
3992	MEMZ.exe
3992	MEMZ.exe
2032	MEMZ.exe
2648	MEMZ.exe
2032	MEMZ.exe
2648	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
2988	MEMZ.exe
3992	MEMZ.exe
2988	MEMZ.exe
3992	MEMZ.exe
2032	MEMZ.exe
2032	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2648	4532	MEMZ.exe	84
PID 4532 wrote to memory of 2648	4532	MEMZ.exe	84
PID 4532 wrote to memory of 2648	4532	MEMZ.exe	84
PID 4532 wrote to memory of 2988	4532	MEMZ.exe	85
PID 4532 wrote to memory of 2988	4532	MEMZ.exe	85
PID 4532 wrote to memory of 2988	4532	MEMZ.exe	85
PID 4532 wrote to memory of 1420	4532	MEMZ.exe	86
PID 4532 wrote to memory of 1420	4532	MEMZ.exe	86
PID 4532 wrote to memory of 1420	4532	MEMZ.exe	86
PID 4532 wrote to memory of 2032	4532	MEMZ.exe	87
PID 4532 wrote to memory of 2032	4532	MEMZ.exe	87
PID 4532 wrote to memory of 2032	4532	MEMZ.exe	87
PID 4532 wrote to memory of 3992	4532	MEMZ.exe	88
PID 4532 wrote to memory of 3992	4532	MEMZ.exe	88
PID 4532 wrote to memory of 3992	4532	MEMZ.exe	88
PID 4532 wrote to memory of 3392	4532	MEMZ.exe	89
PID 4532 wrote to memory of 3392	4532	MEMZ.exe	89
PID 4532 wrote to memory of 3392	4532	MEMZ.exe	89
PID 3392 wrote to memory of 3296	3392	MEMZ.exe	91
PID 3392 wrote to memory of 3296	3392	MEMZ.exe	91
PID 3392 wrote to memory of 3296	3392	MEMZ.exe	91
PID 3392 wrote to memory of 2084	3392	MEMZ.exe	96
PID 3392 wrote to memory of 2084	3392	MEMZ.exe	96
PID 3392 wrote to memory of 2084	3392	MEMZ.exe	96
PID 3392 wrote to memory of 1292	3392	MEMZ.exe	97
PID 3392 wrote to memory of 1292	3392	MEMZ.exe	97
PID 3392 wrote to memory of 1292	3392	MEMZ.exe	97
PID 3392 wrote to memory of 1556	3392	MEMZ.exe	109
PID 3392 wrote to memory of 1556	3392	MEMZ.exe	109
PID 1556 wrote to memory of 4456	1556	msedge.exe	110
PID 1556 wrote to memory of 4456	1556	msedge.exe	110
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112
PID 1556 wrote to memory of 2212	1556	msedge.exe	112

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffea36446f8,0x7ffea3644708,0x7ffea3644718
      4⤵
      PID:4456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:2212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
      4⤵
      PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:4688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:1268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:4264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 /prefetch:8
      4⤵
      PID:4496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
      4⤵
      PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
      4⤵
      PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 /prefetch:8
      4⤵
      PID:3772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:1384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff79f745460,0x7ff79f745470,0x7ff79f745480
        5⤵
        
        PID:664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      PID:5216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
      4⤵
      PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4858554953812289690,4150207616542547104,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
      4⤵
      PID:5252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit