3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

Processes:

firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
1420	MEMZ.exe
860	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
1420	MEMZ.exe
860	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
860	MEMZ.exe
1420	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
860	MEMZ.exe
1420	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
860	MEMZ.exe
1420	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
1420	MEMZ.exe
860	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
1420	MEMZ.exe
860	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
1420	MEMZ.exe
860	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1420	MEMZ.exe
1932	MEMZ.exe
860	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1420	MEMZ.exe
860	MEMZ.exe
1932	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1420	MEMZ.exe
1932	MEMZ.exe
860	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
1420	MEMZ.exe
860	MEMZ.exe
936	MEMZ.exe
920	MEMZ.exe
1932	MEMZ.exe
1420	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

firefox.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1576	firefox.exe
Token: SeDebugPrivilege	1576	firefox.exe
Token: 33	1756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1756	AUDIODG.EXE
Token: 33	1756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1756	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1576 firefox.exe
1576 firefox.exe
1576 firefox.exe
1576 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1576 firefox.exe
1576 firefox.exe
1576 firefox.exe

pid	process
1576	firefox.exe
1576	firefox.exe
1576	firefox.exe
1576	firefox.exe

pid	process
1576	firefox.exe
1576	firefox.exe
1576	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1408 wrote to memory of 936	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 936	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 936	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 936	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1420	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1420	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1420	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1420	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 920	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 920	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 920	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 920	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 860	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 860	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 860	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 860	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1932	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1932	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1932	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1932	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1496	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1496	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1496	1408	MEMZ.exe	MEMZ.exe
PID 1408 wrote to memory of 1496	1408	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 332	1496	MEMZ.exe	notepad.exe
PID 1496 wrote to memory of 332	1496	MEMZ.exe	notepad.exe
PID 1496 wrote to memory of 332	1496	MEMZ.exe	notepad.exe
PID 1496 wrote to memory of 332	1496	MEMZ.exe	notepad.exe
PID 1496 wrote to memory of 600	1496	MEMZ.exe	notepad.exe
PID 1496 wrote to memory of 600	1496	MEMZ.exe	notepad.exe
PID 1496 wrote to memory of 600	1496	MEMZ.exe	notepad.exe
PID 1496 wrote to memory of 600	1496	MEMZ.exe	notepad.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 980 wrote to memory of 1576	980	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1688	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1688	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1688	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe
PID 1576 wrote to memory of 1600	1576	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:936

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:920

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:332

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.0.1516231935\1070601686" -parentBuildID 20221007134813 -prefsHandle 1172 -prefMapHandle 1152 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf246ffb-cbe8-4777-8193-a8de5cad4901} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 1248 13519858 gpu
3⤵
PID:1688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.1.362751167\96404739" -parentBuildID 20221007134813 -prefsHandle 1440 -prefMapHandle 1436 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7ec678f-32fa-459d-85a8-105e9d6bbb1d} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 1452 d6f858 socket
3⤵
PID:1600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.2.1322524687\183010321" -childID 1 -isForBrowser -prefsHandle 2032 -prefMapHandle 1996 -prefsLen 21119 -prefMapSize 232675 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b4eb2c5-45b8-42ec-b1a3-75c58f3779ce} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 2220 4396458 tab
3⤵
PID:1880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.3.240896941\432493421" -childID 2 -isForBrowser -prefsHandle 1616 -prefMapHandle 1612 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12c30b35-f4ef-4ea1-a1f1-d2db688dc66e} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 600 d62b58 tab
3⤵
PID:1768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.4.1253618239\149295551" -childID 3 -isForBrowser -prefsHandle 2896 -prefMapHandle 2888 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48545ed8-544b-4fc4-8464-90b6f1a77a02} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 2912 18a05558 tab
3⤵
PID:2108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.5.1417699928\198385405" -childID 4 -isForBrowser -prefsHandle 3676 -prefMapHandle 3124 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e75bb98-8368-41fe-a425-b3342c7c43e6} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3688 1d822358 tab
3⤵
PID:2568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.6.618435016\961164714" -childID 5 -isForBrowser -prefsHandle 3848 -prefMapHandle 3852 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23d24d1c-1dc1-4c64-9a21-2eda7c200376} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3832 1d945a58 tab
3⤵
PID:2692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.7.2142228117\1536357129" -childID 6 -isForBrowser -prefsHandle 3704 -prefMapHandle 3776 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8af60d79-197d-41b2-be51-5ac93a084966} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 3924 1d947b58 tab
3⤵
PID:2704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1576.8.379130352\1646546510" -childID 7 -isForBrowser -prefsHandle 4312 -prefMapHandle 4216 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {709ca559-464d-4295-b9b4-dd7ab0848186} 1576 "\\.\pipe\gecko-crash-server-pipe.1576" 4160 1d994d58 tab
3⤵
PID:2320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r2jq9p33.default-release\activity-stream.discovery_stream.json.tmp
Filesize
159KB

MD5
2b57194716f32e7035e26d1e3321d0e4

SHA1
6313d5eb86925bc404bc40fdad671bb0e1e0402a

SHA256
1f53c391509b8ed2060a7101417b10479d2cc04c6ebfdb0cd6aa7ce481375980

SHA512
9cdfb757b8bafe6af525ce02d3efb7670c85cea714f6652dec59f65038bc3af0da23fc27241f7b39e5266c4ca267e0fadda00f193d5eaa5e51e5331a89ae9135

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r2jq9p33.default-release\prefs.js
Filesize
6KB

MD5
aea271b9f2a2da81eb7d99f55962a847

SHA1
1dc293fe43c15c2a0981946123fc8b1327419699

SHA256
d89ae4708f2a5c0488f37331c35848c04a6f96b97e72c6af2668e56bdcf62dde

SHA512
9f35dc589f2ba5609de41d2cb59d4c2b6133ba86b32a7212a917e48f76c48d1f6ce500844f26ed84f97d5c74e22a185d59cc190a7d991653ce089b2546dcd4e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r2jq9p33.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
4d68a90be4f1ea8292734fc89e066055

SHA1
dfc0fa2136a8f8370387aa2558a92f2a90e659ff

SHA256
fb4512f9f60efe0d6c8d286613dd7b1b486415755324ec803aae986c33ba484b

SHA512
cd3866a66ced603cb1efe438bde9bb15f42f8270bf37dbf904b1f2ee82b41ee0ea1d5a46fd063dbadda22e48748b3fdb4ef6fbd751d4d54da5e8e43e7a91c2ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r2jq9p33.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
278468ecf24b30dedef058e82567a4cf

SHA1
14b5cc1b71ef7520e04d9f046877aec56c725c43

SHA256
114224bf39e65b49fb19a52dee5695e0e453febd5cb60a98a303d6fc3047cbbd

SHA512
9ad7db4395495598f25d1b31a7b7625703ab6a897785b6c8faa5e12a2ad7d50cb58abd6c4ba18d4c782d000d955beb9fb9b9dd032df045d0523816d142a23b5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r2jq9p33.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
49c3012cec96e23664106debc040d33d

SHA1
334c3908e422ef29ed854a6973eaa17b01b82b25

SHA256
581b088b6c9054c1f89013faa66856fb1c4f946b0904f8cabf5401d932ca0468

SHA512
77cc865366ebad8b7dba9cc1025328416c107cc672a94a42609d8d7f8b00045e665ffce4c71daf12a5e0b2cfb8afd5ea0170aeed95db9088477dcd9259406c18

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads