Analysis
-
max time kernel
297s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
31-03-2023 17:32
General
-
Target
MEMZ 3.0/MEMZ.exe
-
Size
12KB
-
MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91
-
SHA1
761168201520c199dba68add3a607922d8d4a86e
-
SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
-
SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
SSDEEP
192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 59 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Runs regedit.exe 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: MapViewOfSection 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /main2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"3⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3481⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0K1VPCNX\favicon[1].icoFilesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\8B1NBJ5L\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5a371c997de65fa1d0c1c6e2d862593f7
SHA12cf4f67996db546829222259c361d0f3f91d8718
SHA256f3e826add98dc2b453bad19a6492b09b9faef9de7651197314ad673583db5458
SHA512b986495e52fa6d9472fcdf7fea433e24a4acc0ff29734455d722e233737de199c2ee32788facb98de681ca4fba985783d736acfb028e0d5b53399687022a6811
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_3B19E079B02C6E9472149DB847F37EF9Filesize
472B
MD501dec6104ef463d96442a8770eed9efd
SHA1aa2b574c90a9cf761437a445601672b4d5f44305
SHA256074646cf44812ff410b1e71224bc69214999105760b3bd2f138bf30a2cc5459a
SHA5125b0863303be78dd7604537e003d4237441465995112d2be61f770f6539d6aef47e8f422079e46239c02e0d200d7994fc1081cfc9064dcbfd8b96423c45ef741e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_5C0FECF3E49EA4DC8292F821F42A2CB1Filesize
472B
MD5fdbc8e153c1bda0b5876b789404a18c4
SHA1fe9e0df803b2f4028f47bf111e6d571730c87f84
SHA256effdec2f1f1dddee58840580382425d98ba3bb1eebc6e0acc8df0fb006cc063f
SHA51214d179f9bd4b7788b9cd123f309c4d096200d0534268ea5b21ebe5925a3317b21516d3f166782cc8be945b0385fd2e85e5cf41b7d5fecd627ec7fddc04888247
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD53a95c37f8d7a75708ad03f74d92a2a99
SHA1437665a096a3966b2a802018ab72e59ae1e9cae4
SHA2562ae74cb4d7572cc2849e7bcdf888889bcd308086e974871bcb4145af72f81f1d
SHA512864e60269fcd3b8a80c888d4f600ee97f4f1286050068710acad1df1cb21bb00ae900c9e8037d8776c0d88f3c40bad90940b2fee8993636403d2ff098d71da45
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD5a11f3494404f900d9d6d3193b4b1476a
SHA167caa541e6b246411518095ad82e83912c077156
SHA25656f39c679ef3d8dcdba98572b78cb449a3896afd595602cf73828c4315e5c30e
SHA5121c355e4e114630eafa94cbb77a3dfa848322ed4565ca5ad95e07440804487490a658ad01d3f1a967a498f282c79ed5a6784a45c9218e175be059d73de4a625b3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_3B19E079B02C6E9472149DB847F37EF9Filesize
410B
MD510584fe931b39d10263f3aa3ca446829
SHA1472183559590035d2d5672b2441b223869f261b5
SHA256acacd100c55425fe3e9a8943c172d9969b66e5ced09ed80f19bda85860a5e3b7
SHA5128bfa5e5dbb3287cab0f8a096b7837a9dad7ece091cf3ecd6c9e83b614e0b66c17761be4754349a334c5946038a66eae473c666c8d37008f67de1826cb902c562
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_5C0FECF3E49EA4DC8292F821F42A2CB1Filesize
402B
MD51d204ac4e11ea25488b34f80d7161fdf
SHA1d64af769a3bb3cfae37485f8192bc28ab043ba51
SHA256f9c29e0a2c42f1a667b68d90e996e8ec51d31cddfad1ec142f1be28983993a53
SHA512a39d494f7b990f12d8fe3670a18395708eb032c5d3c254cd516a1564068476a677349663ea200bbd16b2c3236a6bcdf8309e67a96ca19e14f2bb879c71bfa0c4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
memory/1100-191-0x0000021DD3980000-0x0000021DD3982000-memory.dmpFilesize
8KB
-
memory/1100-305-0x0000021DD34E0000-0x0000021DD34E2000-memory.dmpFilesize
8KB
-
memory/1100-207-0x0000021DD42E0000-0x0000021DD42E2000-memory.dmpFilesize
8KB
-
memory/1100-209-0x0000021DD4410000-0x0000021DD4412000-memory.dmpFilesize
8KB
-
memory/1100-187-0x0000021DD3940000-0x0000021DD3942000-memory.dmpFilesize
8KB
-
memory/1100-189-0x0000021DD3960000-0x0000021DD3962000-memory.dmpFilesize
8KB
-
memory/1100-203-0x0000021DD42A0000-0x0000021DD42A2000-memory.dmpFilesize
8KB
-
memory/1100-198-0x0000021DD3CA0000-0x0000021DD3CA2000-memory.dmpFilesize
8KB
-
memory/1100-200-0x0000021DD3CF0000-0x0000021DD3D10000-memory.dmpFilesize
128KB
-
memory/1100-195-0x0000021DD39C0000-0x0000021DD39C2000-memory.dmpFilesize
8KB
-
memory/1100-303-0x0000021DC2910000-0x0000021DC2912000-memory.dmpFilesize
8KB
-
memory/1100-205-0x0000021DD42C0000-0x0000021DD42C2000-memory.dmpFilesize
8KB
-
memory/1100-193-0x0000021DD39A0000-0x0000021DD39A2000-memory.dmpFilesize
8KB
-
memory/3372-225-0x00000224B1220000-0x00000224B1221000-memory.dmpFilesize
4KB
-
memory/3372-224-0x00000224B1210000-0x00000224B1211000-memory.dmpFilesize
4KB
-
memory/3372-164-0x00000224AF820000-0x00000224AF822000-memory.dmpFilesize
8KB
-
memory/3372-163-0x00000224AF750000-0x00000224AF752000-memory.dmpFilesize
8KB
-
memory/3372-161-0x00000224A81D0000-0x00000224A81D2000-memory.dmpFilesize
8KB
-
memory/3372-159-0x00000224A8180000-0x00000224A8181000-memory.dmpFilesize
4KB
-
memory/3372-138-0x00000224AB400000-0x00000224AB410000-memory.dmpFilesize
64KB
-
memory/3372-122-0x00000224AAC20000-0x00000224AAC30000-memory.dmpFilesize
64KB
-
memory/3892-337-0x00000203E6590000-0x00000203E65B0000-memory.dmpFilesize
128KB