3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

31-03-2023 17:19

230331-vvytladc6z 6

31-03-2023 17:17

230331-vt57aaca29 1

Analysis

max time kernel
192s
max time network
220s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387055488"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39EE8A31-CFF9-11ED-AB11-7621D5A708C1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1216	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1216	MEMZ.exe
1128	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1216	MEMZ.exe
1128	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1128	MEMZ.exe
1216	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1128	MEMZ.exe
1216	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1216	MEMZ.exe
1128	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1128	MEMZ.exe
1216	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1216	MEMZ.exe
1128	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1128	MEMZ.exe
1216	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1216	MEMZ.exe
1128	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1128	MEMZ.exe
1216	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1216	MEMZ.exe
1128	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe
1216	MEMZ.exe
1128	MEMZ.exe
544	MEMZ.exe
468	MEMZ.exe
524	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	632	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	632	AUDIODG.EXE
Token: 33	632	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	632	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

284 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

284 iexplore.exe
284 iexplore.exe
764 IEXPLORE.EXE
764 IEXPLORE.EXE
764 IEXPLORE.EXE
764 IEXPLORE.EXE

pid	process
284	iexplore.exe

pid	process
284	iexplore.exe
284	iexplore.exe
764	IEXPLORE.EXE
764	IEXPLORE.EXE
764	IEXPLORE.EXE
764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

MEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1772 wrote to memory of 1216	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 1216	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 1216	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 1216	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 544	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 544	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 544	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 544	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 468	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 468	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 468	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 468	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 524	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 524	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 524	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 524	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 1128	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 1128	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 1128	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 1128	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 580	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 580	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 580	1772	MEMZ.exe	MEMZ.exe
PID 1772 wrote to memory of 580	1772	MEMZ.exe	MEMZ.exe
PID 580 wrote to memory of 1876	580	MEMZ.exe	notepad.exe
PID 580 wrote to memory of 1876	580	MEMZ.exe	notepad.exe
PID 580 wrote to memory of 1876	580	MEMZ.exe	notepad.exe
PID 580 wrote to memory of 1876	580	MEMZ.exe	notepad.exe
PID 580 wrote to memory of 284	580	MEMZ.exe	iexplore.exe
PID 580 wrote to memory of 284	580	MEMZ.exe	iexplore.exe
PID 580 wrote to memory of 284	580	MEMZ.exe	iexplore.exe
PID 580 wrote to memory of 284	580	MEMZ.exe	iexplore.exe
PID 284 wrote to memory of 764	284	iexplore.exe	IEXPLORE.EXE
PID 284 wrote to memory of 764	284	iexplore.exe	IEXPLORE.EXE
PID 284 wrote to memory of 764	284	iexplore.exe	IEXPLORE.EXE
PID 284 wrote to memory of 764	284	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:524

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:1876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
Filesize
252B

MD5
da624d5a7b48129a6b25a5e08f3bf2ac

SHA1
8417bffc871f1d5a5ea005556dd256f8838a2221

SHA256
2879d979cedbdcf5d20e22c8477d9d349bf3ea5688584a7e0f68941e3b9fa2e0

SHA512
4d7b58fc4f8af97a50f2c2d2489569a24686ee01af2196a7f43957617679de025f98eec90c98cd114ee6e073d1832cd80abc36008a237a0d302749562b01d3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
e4a94d8a122ed5931134f1e42bf0ae28

SHA1
cdd5bc6c83402231e2dab4b79cebb2c3658631c5

SHA256
dc160ea05550c3f3686d0c9f3ec415ddc26e35adc2f2630e2f71b520bcc13afd

SHA512
7c45974ed91e5e31037bc281734346a6efad4a453b4c8b394164e15726e1545d016b1f46cebe9c92580315c69d1ac4251fa455e65eb1b1dadf43ebfa0659eedd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFOBZ3YS\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB765.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\37ARJDN3.txt
Filesize
598B

MD5
f7570320568d590acc53dedf6d045e6f

SHA1
9a54988c20386543432a28c6772aa4a7f96bf7a6

SHA256
409be3cf678a643a7d3e126f2ff5568be395124589c935a095d47beeced57dd7

SHA512
9155e72504bbf41f42c69c10dc2aba72d69b60dbf0fc546e28da13a40e0d36597c0e33ffeef582c939d75162b9e8bcaade30c5b47d9f4122c27f0d275367bc32

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit