Overview

overview

7

Static

static

1

MEMZ 3.0/MEMZ.bat

windows10-1703-x64

7

MEMZ 3.0/MEMZ.bat

windows10-2004-x64

7

MEMZ 3.0/MEMZ.exe

windows10-1703-x64

7

MEMZ 3.0/MEMZ.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    67s
  • max time network
    87s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMZ 3.0/MEMZ.bat

  • Size

    12KB

  • MD5

    13a43c26bb98449fd82d2a552877013a

  • SHA1

    71eb7dc393ac1f204488e11f5c1eef56f1e746af

  • SHA256

    5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513

  • SHA512

    602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a

  • SSDEEP

    384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\system32\cscript.exe
      cscript x.js
      2⤵
        PID:3580
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\Users\Admin\AppData\Roaming\MEMZ.exe
          "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:5044
        • C:\Users\Admin\AppData\Roaming\MEMZ.exe
          "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4932
        • C:\Users\Admin\AppData\Roaming\MEMZ.exe
          "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3396
        • C:\Users\Admin\AppData\Roaming\MEMZ.exe
          "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3112
        • C:\Users\Admin\AppData\Roaming\MEMZ.exe
          "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3408
        • C:\Users\Admin\AppData\Roaming\MEMZ.exe
          "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3260
          • C:\Windows\SysWOW64\notepad.exe
            "C:\Windows\System32\notepad.exe" \note.txt
            4⤵
              PID:4372
            • C:\Windows\SysWOW64\control.exe
              "C:\Windows\System32\control.exe"
              4⤵
              • Modifies registry class
              PID:3792
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:2148
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
          1⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1044
        • C:\Windows\system32\browser_broker.exe
          C:\Windows\system32\browser_broker.exe -Embedding
          1⤵
          • Modifies Internet Explorer settings
          PID:2144
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1888
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          PID:2568
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
            PID:2648

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Bootkit

          1
          T1067

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\05AYE1J1\favicon[1].ico
            Filesize

            5KB

            MD5

            f3418a443e7d841097c714d69ec4bcb8

            SHA1

            49263695f6b0cdd72f45cf1b775e660fdc36c606

            SHA256

            6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

            SHA512

            82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
            Filesize

            4KB

            MD5

            b6873c6cbfc8482c7f0e2dcb77fb7f12

            SHA1

            844b14037e1f90973a04593785dc88dfca517673

            SHA256

            0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

            SHA512

            f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
            Filesize

            10KB

            MD5

            fc59b7d2eb1edbb9c8cb9eb08115a98e

            SHA1

            90a6479ce14f8548df54c434c0a524e25efd9d17

            SHA256

            a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

            SHA512

            3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js
            Filesize

            448B

            MD5

            8eec8704d2a7bc80b95b7460c06f4854

            SHA1

            1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

            SHA256

            aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

            SHA512

            e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
            Filesize

            7KB

            MD5

            cf0c19ef6909e5c1f10c8460ba9299d8

            SHA1

            875b575c124acfc1a4a21c1e05acb9690e50b880

            SHA256

            abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

            SHA512

            d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
            Filesize

            7KB

            MD5

            cf0c19ef6909e5c1f10c8460ba9299d8

            SHA1

            875b575c124acfc1a4a21c1e05acb9690e50b880

            SHA256

            abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

            SHA512

            d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\note.txt
            Filesize

            218B

            MD5

            afa6955439b8d516721231029fb9ca1b

            SHA1

            087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

            SHA256

            8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

            SHA512

            5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

            Download Submit
          • memory/1044-332-0x000002651D5D0000-0x000002651D5D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1044-311-0x000002651EC00000-0x000002651EC10000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1044-334-0x000002651E130000-0x000002651E132000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1044-336-0x000002651E3C0000-0x000002651E3C2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1044-337-0x000002651E730000-0x000002651E732000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1044-295-0x000002651EB00000-0x000002651EB10000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1044-395-0x00000265247B0000-0x00000265247B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1044-396-0x00000265247C0000-0x00000265247C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2568-371-0x000001CC1CDB0000-0x000001CC1CDB2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-365-0x000001CC1CA90000-0x000001CC1CA92000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-363-0x000001CC1CA70000-0x000001CC1CA72000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-376-0x000001CC1D580000-0x000001CC1D582000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-380-0x000001CC1D5C0000-0x000001CC1D5C2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-378-0x000001CC1D5A0000-0x000001CC1D5A2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-369-0x000001CC1CAD0000-0x000001CC1CAD2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-367-0x000001CC1CAB0000-0x000001CC1CAB2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-360-0x000001CC1CA40000-0x000001CC1CA42000-memory.dmp
            Filesize

            8KB

            Download