Analysis
-
max time kernel
192s -
max time network
220s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 17:19
Static task
static1
Behavioral task
behavioral1
Sample
MEMZ.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MEMZ.exe
Resource
win10-20230220-en
General
-
Target
MEMZ.exe
-
Size
16KB
-
MD5
1d5ad9c8d3fee874d0feb8bfac220a11
-
SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595
-
SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
-
SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
SSDEEP
192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387055488" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39EE8A31-CFF9-11ED-AB11-7621D5A708C1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 1216 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1216 MEMZ.exe 1128 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1216 MEMZ.exe 1128 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1128 MEMZ.exe 1216 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1128 MEMZ.exe 1216 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1216 MEMZ.exe 1128 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1128 MEMZ.exe 1216 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1216 MEMZ.exe 1128 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1128 MEMZ.exe 1216 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1216 MEMZ.exe 1128 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1128 MEMZ.exe 1216 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1216 MEMZ.exe 1128 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe 1216 MEMZ.exe 1128 MEMZ.exe 544 MEMZ.exe 468 MEMZ.exe 524 MEMZ.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 632 AUDIODG.EXE Token: 33 632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 632 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 284 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 284 iexplore.exe 284 iexplore.exe 764 IEXPLORE.EXE 764 IEXPLORE.EXE 764 IEXPLORE.EXE 764 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
MEMZ.exeMEMZ.exeiexplore.exedescription pid process target process PID 1772 wrote to memory of 1216 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 1216 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 1216 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 1216 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 544 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 544 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 544 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 544 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 468 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 468 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 468 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 468 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 524 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 524 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 524 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 524 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 1128 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 1128 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 1128 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 1128 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 580 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 580 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 580 1772 MEMZ.exe MEMZ.exe PID 1772 wrote to memory of 580 1772 MEMZ.exe MEMZ.exe PID 580 wrote to memory of 1876 580 MEMZ.exe notepad.exe PID 580 wrote to memory of 1876 580 MEMZ.exe notepad.exe PID 580 wrote to memory of 1876 580 MEMZ.exe notepad.exe PID 580 wrote to memory of 1876 580 MEMZ.exe notepad.exe PID 580 wrote to memory of 284 580 MEMZ.exe iexplore.exe PID 580 wrote to memory of 284 580 MEMZ.exe iexplore.exe PID 580 wrote to memory of 284 580 MEMZ.exe iexplore.exe PID 580 wrote to memory of 284 580 MEMZ.exe iexplore.exe PID 284 wrote to memory of 764 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 764 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 764 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 764 284 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b453⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x56c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2CFilesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2CFilesize
252B
MD5da624d5a7b48129a6b25a5e08f3bf2ac
SHA18417bffc871f1d5a5ea005556dd256f8838a2221
SHA2562879d979cedbdcf5d20e22c8477d9d349bf3ea5688584a7e0f68941e3b9fa2e0
SHA5124d7b58fc4f8af97a50f2c2d2489569a24686ee01af2196a7f43957617679de025f98eec90c98cd114ee6e073d1832cd80abc36008a237a0d302749562b01d3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5e4a94d8a122ed5931134f1e42bf0ae28
SHA1cdd5bc6c83402231e2dab4b79cebb2c3658631c5
SHA256dc160ea05550c3f3686d0c9f3ec415ddc26e35adc2f2630e2f71b520bcc13afd
SHA5127c45974ed91e5e31037bc281734346a6efad4a453b4c8b394164e15726e1545d016b1f46cebe9c92580315c69d1ac4251fa455e65eb1b1dadf43ebfa0659eedd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFOBZ3YS\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\TarB765.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\37ARJDN3.txtFilesize
598B
MD5f7570320568d590acc53dedf6d045e6f
SHA19a54988c20386543432a28c6772aa4a7f96bf7a6
SHA256409be3cf678a643a7d3e126f2ff5568be395124589c935a095d47beeced57dd7
SHA5129155e72504bbf41f42c69c10dc2aba72d69b60dbf0fc546e28da13a40e0d36597c0e33ffeef582c939d75162b9e8bcaade30c5b47d9f4122c27f0d275367bc32
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf