3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

Resubmissions

31-03-2023 20:37

230331-zedkyadc34 7

31-03-2023 20:34

230331-zcqgqaee9t 7

31-03-2023 20:32

230331-zbentsdb88 7

31-03-2023 20:28

230331-y8zvladb76 7

Analysis

max time kernel
421s
max time network
421s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387067270"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00ea2932164d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e2000000000200000000001066000000010000200000009aba2360a44acedbb15b3534a678516449ce9ee277a24a51001373921bac960f000000000e8000000002000020000000567929c36118e17aae44e33859fc9e4c5e267538bda9249d24c67eee5436e44920000000417dd27860027e535dfda6cc48e7e01a1e24050ebc7f7c2ba6a3a19a82f33c3940000000e5d240622676be5071add394c44af0a7699cf3584adcd49a274905ba33421ab8758f9f08329623a7667036098c351ede02a49174f603e9f937b19668db190a47	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff65000000a3000000eb04000008030000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B9264DE1-D014-11ED-B2AF-D2C9D0B8F522} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e2000000000200000000001066000000010000200000001b9c622ecaf85ec207c204f344d706be0df2fd69a7be6773a0c86137ebcf969b000000000e8000000002000020000000ed0561862987211e62c03163c21e22cb1f56717e556f95c5f3f7a5eeb0b8c13c9000000041ccfc2b689f527be46d12fe96b0e0ad4030a449cdef5e1d2a55b315c2577c661c96cc3192cd923caf7c52fa7bc2c830fe730fd31c58796516214dd6fd0bb9b524794257ad7c3e9272fb150b51e2127eebf208a9f1419977dc0d61c8152aec1aa3e3cae10e8c82c77adf989a19859ba77fb33f63eb51db6b72b9212e71556ab27dfdcef2eae3959380f23d1aad776f9d40000000ea059b181e7aa5f88fed1a95d0f2db84c491fc30af09dd44bc2093433428b7f1d60f8aae7ebd9638eef7b4407908d7bc88e9ed1ff7e324d286f75b5526e5eabb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1688	MEMZ.exe
1088	MEMZ.exe
1992	MEMZ.exe
1148	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

940 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXEtaskmgr.exeMEMZ.exeMEMZ.exeMEMZ.exe

description	pid	process
Token: 33	984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	984	AUDIODG.EXE
Token: 33	984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	984	AUDIODG.EXE
Token: SeDebugPrivilege	940	taskmgr.exe
Token: SeShutdownPrivilege	1148	MEMZ.exe
Token: SeShutdownPrivilege	1992	MEMZ.exe
Token: SeShutdownPrivilege	1612	MEMZ.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

iexplore.exenotepad.exetaskmgr.exe

pid	process
1152	iexplore.exe
1152	iexplore.exe
512	notepad.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

taskmgr.exe

pid	process
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe
940	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1152	iexplore.exe
1152	iexplore.exe
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
752	MEMZ.exe
1148	MEMZ.exe
1992	MEMZ.exe
1612	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1992	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1992	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1992	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1992	MEMZ.exe
1612	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1992	MEMZ.exe
1612	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1992	MEMZ.exe
1612	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1992	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1992	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1992	MEMZ.exe
1612	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe
1992	MEMZ.exe
1088	MEMZ.exe
1688	MEMZ.exe
1148	MEMZ.exe
1612	MEMZ.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

MEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1712 wrote to memory of 1088	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1088	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1088	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1088	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1688	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1688	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1688	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1688	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1992	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1992	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1992	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1992	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1148	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1148	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1148	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1148	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1612	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1612	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1612	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 1612	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 752	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 752	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 752	1712	MEMZ.exe	MEMZ.exe
PID 1712 wrote to memory of 752	1712	MEMZ.exe	MEMZ.exe
PID 752 wrote to memory of 512	752	MEMZ.exe	notepad.exe
PID 752 wrote to memory of 512	752	MEMZ.exe	notepad.exe
PID 752 wrote to memory of 512	752	MEMZ.exe	notepad.exe
PID 752 wrote to memory of 512	752	MEMZ.exe	notepad.exe
PID 752 wrote to memory of 1152	752	MEMZ.exe	iexplore.exe
PID 752 wrote to memory of 1152	752	MEMZ.exe	iexplore.exe
PID 752 wrote to memory of 1152	752	MEMZ.exe	iexplore.exe
PID 752 wrote to memory of 1152	752	MEMZ.exe	iexplore.exe
PID 1152 wrote to memory of 1800	1152	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 1800	1152	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 1800	1152	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 1800	1152	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
- Suspicious use of FindShellTrayWindow
PID:512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=mcafee+vs+norton
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
0ecd06dff063aa7dbb5f3fcf3f35022e

SHA1
02acdb13dbefd1641ca1afe9c17442816c6594fa

SHA256
580adf4e0357b5ef7eea2b136c059439b0d4fb7f08bf328d3312e049112fa847

SHA512
f8f3a30565e5f48c348a487149a453b46b6ccec331324342af1c6228fce2f08cc17d7dd2c847a4fee2840e31dfdd46b7deb203ac2f6d88d448667c4d8654d23b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
ad826e5fb71deda474976452e62d56d6

SHA1
28809fcbb9efb43d2c36b1320ef56d363bea791a

SHA256
eece45baeeccc1b1ba2c3af7a642bc1efdf752bdd2dc98f0c92208d0aa70cae9

SHA512
0b9b861e5ccc3bdf3fa627129d6391b0491105ea606daa002c3783a89e012704574fd0820ce23fafd4ecdef850aa454d56306fa4c2a5010c005817fc85ec107c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
4e765bdd54590c6fd1af2477d2a85085

SHA1
61f09acb2f13b92cdd608672f5de6c0090c544d5

SHA256
f91fefb6595ea0ab96423a5e9dcb4f6a806fcf0379622027a3aa8525a1b1f2f7

SHA512
8489f9413ab511296d533e8feafb3f72a6ea91403c109b73c0d419e51b57b971fb0e288919587259cab4a4e2d3a068288aae8ac6982fb4c50fc483e896943c92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
4646dde217e0b9000b835cc896145aa7

SHA1
2ba9fed8303c921990517c44e9788e71dbeca004

SHA256
c3be599069be41afa2f0015a803680f73fc137cda7fcf309530b488a70302adc

SHA512
7fd27b877a4f036a82e6afd232efb2c2a5015c7d719afb9f0a05c9613954fcdf524bdf2f9bd21f5847ee21c8f7f4186585d15c6abd02035db7f57ca97c9a23af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
47fb8e9d29b561b8dd8279af75becafe

SHA1
8e98f740df970bbdb272381b84bd37babb04efc5

SHA256
f35b7b88db7db4fb93c791c4ca4f3e80c759034071eb56fb3aca2b2bfb211bf2

SHA512
56bfb1f796692571d52af0921efe9adf834fb8a10612c2db97b5fe7c477654fb94c9aa4c80e83cf00032c8950cfbfe8deb702d9459a1437b75103d58dd20ab31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
99883b05409a775ef701de46578190c4

SHA1
57fe7a16415b79bd59e760a4b8e8c4d3280ddf6e

SHA256
1010e8856007570bd3375e5aea22a81ffe6e12b1bf526e79ea118bf6aec75325

SHA512
32b26dcc3ce373046b7a970b17c07a8b8354a3e5171fce8d1ec55486d20230926ac0cbe4317eab8efbfa21d9a3b3179f40b90d2a3b7d8bfa9ca57022c24a0bf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
27fddaf837fb7e2227c2c1e2c72f4b9a

SHA1
c2e50daa8f556e0ef42e988de6a8fab6b496617b

SHA256
852cf903f89b7e188871de467ef5b2ef35f9e995ab6ba4327d0c196b00995ce2

SHA512
6bd4e243499366b3cc83ae2b4f764639f5ae84a129e96fb1da6bbf2f3874ee53a7af6c8bfd6f6491bf4d606bddf5d09cd6ac1638a158896f3b9115062e64a0c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
34cf6a859239c42a6dd83f66a18fb7e6

SHA1
8c531fd7a25a2c7f821fb376a4466a6b3f4e8f46

SHA256
eda4df899a8f8586821e5a379f236aed72ff3dd285544527e4086b4caf804ce8

SHA512
a1bddb951bf1ee7ffb9152104e3e627c784d3bc474bd2e07abf021d22c23e01bbcc320d788ac1d66b4d2db0073226c89e49bd13d4c8fbde07d53461c92c35aba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d52470c4eae731447ab2a2563a6b42cd

SHA1
608ebb1fe881887b54385472c48e8fe4057eb05f

SHA256
52d650f11b51d95b8d43a1b29be54308fcc4a74d244d1f66e24de154cd7d359a

SHA512
9a6b950cd7086ef66ad4e7191f9da57a36a06805a644cbf8813239de40e5c76e7e4b78e1b5fc2070920e097592d0f54b1c712c735bfd39bface3b5aefdff4baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8d13817b4c9aaa0169270464e92b4cb1

SHA1
c7b954de6fee88c81e607c831aebb8b20834b0a6

SHA256
90fd4374bf69aa27ec252d040b1ebd18096b35256efe13ee2ba727f7d33124e0

SHA512
1cf2f884baaef18ff17a1756e0e83bb187c176b56ab73bdb3a604544d9b51ea32d22931898bdf83f8d3e38ac3ceedb593ea1b9d73560c8b0ff37ef57ecc4bd22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
92533d44daa47ab79929ce39b3b44288

SHA1
83b9739873fae450cbeec5c6969bb51163bf2e7e

SHA256
fa9cef45a92a3b3d8498c32318b6d827011752f1eb48a047e4f2087065e0e1a7

SHA512
e8cc4ea36604d87b1d7d4406bd7efbb6144e52e8298d4e596743a1c60a717cab039adcca968fa4ffdd433af9b71d02519612dcb9ca9e825357c0df9de28d21e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
34095cc68494ef33aca01083ffe5d662

SHA1
2427b2304f339031a2c7e13b54e6698ace3d532c

SHA256
52e9719ac0dee248fb805f863254155ae8f7c9514d2d3ae8330619c8310c6453

SHA512
d4f79d7734ff418e254759cee28ea808cac5258f41741c427e0573dabbc87854792681dc0cf9d9bb0103f18dab3928494013e87cf01f45b5efa1531d9ad1da7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z62wpf5\imagestore.dat
Filesize
9KB

MD5
099353a130301ef2dd38ad3f0b405819

SHA1
8504834dcb05487089c9d2b9bf2bb7e6be923432

SHA256
8571d4eea3e279134a584d81e22b93fa10ca94084453dc11d8d7695f06fdad43

SHA512
789fc3acadf93631e788b050eb68eee4ee8b9cd2df6d13432d2234b60639ed2f0ded53d7f01f68d4640500fa7d8f474eb6b5aa9a152fe21cd6e0261466732c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03S7L47X\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\favicon[2].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC795.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC893.tmp
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC7E6.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC936.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF4E63CB4529301095.TMP
Filesize
16KB

MD5
f9991a34f5098b79ae4f1cb281172a36

SHA1
38bf56106e651a281173a22e1970fb3c40a2e1a6

SHA256
4fb7d78019e2d2969d27fde30955a7136cf593baba47d9d1b8de659011ef8cfb

SHA512
bb3a33d80de91d81743fcf3a9176a1bf318ef4541d770d95bcefd8b4f2851124bcc2f4d2d6663d0ff174e0aa53395e3b896db606576084c91876a987988e919a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YGDEI38T.txt
Filesize
606B

MD5
a39dfc89dab18ec7520f20ca6e6b1489

SHA1
71f7cb6229b5e9a99d7de960eb88312875c389f0

SHA256
02ef70824bd5af7937aca39a071ef5ddb857dd7affead33ffa8c11582f993ec7

SHA512
d0fabc0eccff9e4c69db90f35f8b857ce91de8c4fec03d4f1fc2a3b59dedafdee91130c562ab90298fbc7032b1799ef3d6e20011f4d1b8a1fdca1b12499dbf44

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/940-624-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/940-625-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/940-626-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/940-627-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/940-628-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download