Analysis
-
max time kernel
32s -
max time network
41s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
31-03-2023 17:19
Static task
static1
Behavioral task
behavioral1
Sample
MEMZ.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MEMZ.exe
Resource
win10-20230220-en
General
-
Target
MEMZ.exe
-
Size
16KB
-
MD5
1d5ad9c8d3fee874d0feb8bfac220a11
-
SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595
-
SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
-
SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
SSDEEP
192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 4168 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 3648 MEMZ.exe 3648 MEMZ.exe 3596 MEMZ.exe 3596 MEMZ.exe 4192 MEMZ.exe 4168 MEMZ.exe 4192 MEMZ.exe 4168 MEMZ.exe 3596 MEMZ.exe 3596 MEMZ.exe 3596 MEMZ.exe 3600 MEMZ.exe 3596 MEMZ.exe 3600 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 4192 MEMZ.exe 4192 MEMZ.exe 3648 MEMZ.exe 3648 MEMZ.exe 3596 MEMZ.exe 3596 MEMZ.exe 3596 MEMZ.exe 3648 MEMZ.exe 3596 MEMZ.exe 3648 MEMZ.exe 4192 MEMZ.exe 4192 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 3600 MEMZ.exe 3600 MEMZ.exe 4192 MEMZ.exe 3648 MEMZ.exe 3648 MEMZ.exe 4192 MEMZ.exe 3596 MEMZ.exe 3596 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe 3600 MEMZ.exe 3600 MEMZ.exe 4192 MEMZ.exe 3596 MEMZ.exe 4192 MEMZ.exe 3596 MEMZ.exe 3648 MEMZ.exe 3648 MEMZ.exe 3596 MEMZ.exe 4192 MEMZ.exe 3596 MEMZ.exe 4192 MEMZ.exe 3600 MEMZ.exe 3600 MEMZ.exe 4168 MEMZ.exe 4168 MEMZ.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 3596 MEMZ.exe 3600 MEMZ.exe 3648 MEMZ.exe 4168 MEMZ.exe 4192 MEMZ.exe 3648 MEMZ.exe 3600 MEMZ.exe 3596 MEMZ.exe 4168 MEMZ.exe 4192 MEMZ.exe 4168 MEMZ.exe 3596 MEMZ.exe 3648 MEMZ.exe 3600 MEMZ.exe 4192 MEMZ.exe 3600 MEMZ.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
MEMZ.exedescription pid process target process PID 3068 wrote to memory of 4168 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 4168 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 4168 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 4192 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 4192 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 4192 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3648 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3648 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3648 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3596 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3596 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3596 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3600 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3600 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 3600 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 4608 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 4608 3068 MEMZ.exe MEMZ.exe PID 3068 wrote to memory of 4608 3068 MEMZ.exe MEMZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵