Analysis
-
max time kernel
192s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2023 01:21
Static task
static1
Behavioral task
behavioral1
Sample
MEMZ-Clean.bat
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
MEMZ-Clean.bat
Resource
win7-20220812-en
Behavioral task
behavioral3
Sample
MEMZ-Clean.bat
Resource
win10v2004-20221111-en
Behavioral task
behavioral4
Sample
MEMZ-Clean.bat
Resource
android-x86-arm-20220823-en
General
-
Target
MEMZ-Clean.bat
-
Size
9KB
-
MD5
bbae81b88416d8fba76dd3145a831d19
-
SHA1
42fa0e1b90ad49f66d4ab96c8cca02f81248da8b
-
SHA256
5c3fde60c178ed0306dd3e396032acdc9bc55c690e27a926923dd18238bbd64c
-
SHA512
f03ac63bbb504cb53dc896c2bec8666257034b1c4a5827a4ad75c434af05f1cd631a814cc8689e60210e4ca757e61390db8d222f05bf9f3a0fa7026bdf8c4368
-
SSDEEP
192:XBOTDzoOgdlf7MAdTyQuHq2b1vXei2SLca5icrLJlz3:ss/tDyQuHZddL5Jlz3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Executes dropped EXE 1 IoCs
Processes:
MEMZ.exepid process 4984 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
calc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings calc.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 3700 regedit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regedit.exepid process 3700 regedit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 5080 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5080 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
cscript.exepid process 2504 cscript.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
MEMZ.exeOpenWith.exepid process 4984 MEMZ.exe 4984 MEMZ.exe 4984 MEMZ.exe 4804 OpenWith.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
cmd.exeMEMZ.exedescription pid process target process PID 3492 wrote to memory of 2504 3492 cmd.exe cscript.exe PID 3492 wrote to memory of 2504 3492 cmd.exe cscript.exe PID 3492 wrote to memory of 4984 3492 cmd.exe MEMZ.exe PID 3492 wrote to memory of 4984 3492 cmd.exe MEMZ.exe PID 3492 wrote to memory of 4984 3492 cmd.exe MEMZ.exe PID 4984 wrote to memory of 3700 4984 MEMZ.exe regedit.exe PID 4984 wrote to memory of 3700 4984 MEMZ.exe regedit.exe PID 4984 wrote to memory of 3700 4984 MEMZ.exe regedit.exe PID 4984 wrote to memory of 3176 4984 MEMZ.exe calc.exe PID 4984 wrote to memory of 3176 4984 MEMZ.exe calc.exe PID 4984 wrote to memory of 3176 4984 MEMZ.exe calc.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MEMZ-Clean.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript x.js2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵
- Modifies registry class
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ac 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
8KB
MD55ce1a2162bf5e16485f5e263b3cc5cf5
SHA1e9ec3e06bef08fcf29be35c6a4b2217a8328133c
SHA2560557ea4c5e309b16458ca32ac617b76d1a55f5f0103e368d05c0f0386b7a0a43
SHA512ceb5e270bdbcab5be645e50705e3111a5c4751a7a865580d53fa86580025201264a49dd0ea9135b10cff28d7bb21b767ac5d4aff40e880a866ab35df273b5de1
-
C:\Users\Admin\AppData\Local\Temp\x.jsFilesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
C:\Users\Admin\AppData\Local\Temp\z.zipFilesize
5KB
MD5d2ea024b943caa1361833885b832d20b
SHA11e17c27a3260862645bdaff5cf82c44172d4df9a
SHA25639df3364a3af6f7d360aa7e1345e27befc4be960e0e7e7e060b20f3389b80e76
SHA5127b7cfb5e689feed6a52eedf36b89a7b5cc411191571c0af5e5d704b5f24bfa04afa62d1daab159a7e5702d80e56f3946bf32db0551d256419ca12cd3c57dcecb
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD59c642c5b111ee85a6bccffc7af896a51
SHA1eca8571b994fd40e2018f48c214fab6472a98bab
SHA2564bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
SHA51223cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD59c642c5b111ee85a6bccffc7af896a51
SHA1eca8571b994fd40e2018f48c214fab6472a98bab
SHA2564bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
SHA51223cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c
-
memory/2504-132-0x0000000000000000-mapping.dmp
-
memory/3176-140-0x0000000000000000-mapping.dmp
-
memory/3700-139-0x0000000000000000-mapping.dmp
-
memory/4984-136-0x0000000000000000-mapping.dmp