Analysis
-
max time kernel
81s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 17:15
Static task
static1
Behavioral task
behavioral1
Sample
MEMZ.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MEMZ.exe
Resource
win10v2004-20230220-en
General
-
Target
MEMZ.exe
-
Size
16KB
-
MD5
1d5ad9c8d3fee874d0feb8bfac220a11
-
SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595
-
SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
-
SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
SSDEEP
192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 4136 MEMZ.exe 4136 MEMZ.exe 4136 MEMZ.exe 4136 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 4120 MEMZ.exe 4120 MEMZ.exe 4956 MEMZ.exe 216 MEMZ.exe 4956 MEMZ.exe 216 MEMZ.exe 4136 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 4120 MEMZ.exe 4956 MEMZ.exe 4120 MEMZ.exe 4136 MEMZ.exe 216 MEMZ.exe 4136 MEMZ.exe 216 MEMZ.exe 4120 MEMZ.exe 4120 MEMZ.exe 4956 MEMZ.exe 4956 MEMZ.exe 216 MEMZ.exe 216 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 4120 MEMZ.exe 4120 MEMZ.exe 216 MEMZ.exe 216 MEMZ.exe 4136 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 4136 MEMZ.exe 216 MEMZ.exe 216 MEMZ.exe 4120 MEMZ.exe 4120 MEMZ.exe 4120 MEMZ.exe 216 MEMZ.exe 4120 MEMZ.exe 216 MEMZ.exe 4136 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 4956 MEMZ.exe 4136 MEMZ.exe 216 MEMZ.exe 4136 MEMZ.exe 216 MEMZ.exe 4120 MEMZ.exe 4120 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 216 MEMZ.exe 4956 MEMZ.exe 4120 MEMZ.exe 1164 MEMZ.exe 4136 MEMZ.exe 4956 MEMZ.exe 1164 MEMZ.exe 1164 MEMZ.exe 1164 MEMZ.exe 1164 MEMZ.exe 1164 MEMZ.exe 4120 MEMZ.exe 4120 MEMZ.exe 216 MEMZ.exe 216 MEMZ.exe 4956 MEMZ.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
MEMZ.exedescription pid process target process PID 4276 wrote to memory of 4136 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4136 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4136 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4120 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4120 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4120 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4956 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4956 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4956 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 216 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 216 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 216 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 1164 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 1164 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 1164 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4260 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4260 4276 MEMZ.exe MEMZ.exe PID 4276 wrote to memory of 4260 4276 MEMZ.exe MEMZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf