Analysis
-
max time kernel
48s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01-04-2023 06:48
General
-
Target
https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 50 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b6039758,0x7ff9b6039768,0x7ff9b60397782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1816,i,8140072110659462440,6080492138505256520,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\Endermanch@MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD501c1f1d18b676fe25d7a2eb3d2aaee4e
SHA1b0ca4f44a3c68ba39ff98ba220a4f063a3e047b7
SHA2569e1c168d693e4d999ad05bef0ddaacf141614c7c59cfc0009dfde5854993bae4
SHA5128f01d7cf2d396ad6c9861c39c40b1e4443508a7907d78e801f82f04d3f999e9232fab3abc2756cecad3203b5a105637515ea1f1b450062a0c6969140ede365bc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD567a6a5ae60763aeb7fd88b3165a00616
SHA12af58a675a916e893474b15cc22ff686994f2b55
SHA256774efadd613ed1b85fd19150846d93953943db811deeac3d0bd07a45152a64c6
SHA5120e414e2eacbddb532aecfa576ec9b1eeacaeb814f921e899262ea5a32866cfd7c50d1c6836e9595756dde819839db69dae2dbbb812a9fa12b4ca0a1f0710bcec
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD595d260ea83a5c03afd4e132b7b92fabe
SHA1be26914fb2f0cc0b20f824b84fc9772ae7ca71e1
SHA256b3de29a27d109a90504c6de537fa679a35ee1956b45b1926851bd9078eab27d5
SHA512360f521a111fd4fc873a3e6d8cdde894e9d80655f8882cacf55c162929705f8a42b3c0564bed1895f3a3009699923cff2ea5eef0a8ec8ce1aeedf10a0bf6d5c0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
15KB
MD58003013da8e0838eba00eb261ee3bc0c
SHA157dcbac1f856d2c029c37027fbac8a41186be9cd
SHA2567947301f56c269262126f6fc26740cfac54f6a31a2f436cb6cf92612d576f996
SHA512db79fb4040caa4deb582158d9864d93a86e71b3ad2ba7c39663531c09814f3103030d5cd8f24ca47c7631a73b1fe13534b6421cac5c158266243c382f3e771c4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
173KB
MD55cb5720c6c74c5fd350f035ea0c72e83
SHA1500b60dfdb17d95a463e711acb952030aba1aac1
SHA25682b2bab01b9088c031bb101540c3d4133966bc7ca133b2ec738cd49db1c947d6
SHA512c12f5d88da24b2a04ec068381a34a8efe710fca4f21fe286394c7b82c13fdefe50315f8671c55eb4dd4031575096d209e7d281cfac2473ce1c007afe21a852d6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\Downloads\MEMZ.zipFilesize
8KB
MD569977a5d1c648976d47b69ea3aa8fcaa
SHA14630cc15000c0d3149350b9ecda6cfc8f402938a
SHA25661ca4d8dd992c763b47bebb9b5facb68a59ff0a594c2ff215aa4143b593ae9dc
SHA512ba0671c72cd4209fabe0ee241b71e95bd9d8e78d77a893c94f87de5735fd10ea8b389cf4c48462910042c312ddff2f527999cd2f845d0c19a8673dbceda369fd
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
\??\pipe\crashpad_4796_LJSNKWCPKHNCERXJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4712-265-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-266-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-267-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-271-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-272-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-273-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-274-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-275-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-276-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB
-
memory/4712-277-0x0000024F8AB30000-0x0000024F8AB31000-memory.dmpFilesize
4KB