Overview

overview

7

Static

static

1

MEMZ 3.0/MEMZ.bat

windows10-1703-x64

7

MEMZ 3.0/MEMZ.exe

windows10-1703-x64

6

Analysis

  • max time kernel
    91s
  • max time network
    73s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMZ 3.0/MEMZ.bat

  • Size

    12KB

  • MD5

    13a43c26bb98449fd82d2a552877013a

  • SHA1

    71eb7dc393ac1f204488e11f5c1eef56f1e746af

  • SHA256

    5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513

  • SHA512

    602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a

  • SSDEEP

    384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\system32\cscript.exe
      cscript x.js
      2⤵
      • Suspicious use of FindShellTrayWindow
      PID:4784
    • C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4924
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4920
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4032
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Windows\SysWOW64\notepad.exe
          "C:\Windows\System32\notepad.exe" \note.txt
          4⤵
            PID:4188
          • C:\Windows\SysWOW64\control.exe
            "C:\Windows\System32\control.exe"
            4⤵
              PID:356
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3196
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4348
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:660
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:32
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:3720
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
            1⤵
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2192
          • C:\Windows\system32\browser_broker.exe
            C:\Windows\system32\browser_broker.exe -Embedding
            1⤵
            • Modifies Internet Explorer settings
            PID:2532
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2924
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
            1⤵
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
              PID:704
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
              1⤵
                PID:1012
              • C:\Windows\system32\browser_broker.exe
                C:\Windows\system32\browser_broker.exe -Embedding
                1⤵
                  PID:204

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Bootkit

                1
                T1067

                Privilege Escalation

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                3
                T1082

                Peripheral Device Discovery

                1
                T1120

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.pri
                  Filesize

                  207KB

                  MD5

                  e2b88765ee31470114e866d939a8f2c6

                  SHA1

                  e0a53b8511186ff308a0507b6304fb16cabd4e1f

                  SHA256

                  523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

                  SHA512

                  462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
                  Filesize

                  4KB

                  MD5

                  c6e68ff1dc039af122429c3c5418630f

                  SHA1

                  771938ab02aaf6714782ea1c70420794848b1d9c

                  SHA256

                  b18e0bb23b9b78ca561b9499853ec5be84f67fcb7db5c7e207c6da1b89c17dbb

                  SHA512

                  837b8b31d381030b79a1b85449238b8770999dde21dd705aec81a0205cfc40cb2f65fb7877de479bae9ca96c1233a62078332c93db764389bd6f26985b61c9b7

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
                  Filesize

                  10KB

                  MD5

                  fc59b7d2eb1edbb9c8cb9eb08115a98e

                  SHA1

                  90a6479ce14f8548df54c434c0a524e25efd9d17

                  SHA256

                  a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

                  SHA512

                  3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js
                  Filesize

                  448B

                  MD5

                  8eec8704d2a7bc80b95b7460c06f4854

                  SHA1

                  1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

                  SHA256

                  aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

                  SHA512

                  e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
                  Filesize

                  7KB

                  MD5

                  cf0c19ef6909e5c1f10c8460ba9299d8

                  SHA1

                  875b575c124acfc1a4a21c1e05acb9690e50b880

                  SHA256

                  abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

                  SHA512

                  d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
                  Filesize

                  7KB

                  MD5

                  cf0c19ef6909e5c1f10c8460ba9299d8

                  SHA1

                  875b575c124acfc1a4a21c1e05acb9690e50b880

                  SHA256

                  abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

                  SHA512

                  d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\MEMZ.exe
                  Filesize

                  12KB

                  MD5

                  a7bcf7ea8e9f3f36ebfb85b823e39d91

                  SHA1

                  761168201520c199dba68add3a607922d8d4a86e

                  SHA256

                  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

                  SHA512

                  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\MEMZ.exe
                  Filesize

                  12KB

                  MD5

                  a7bcf7ea8e9f3f36ebfb85b823e39d91

                  SHA1

                  761168201520c199dba68add3a607922d8d4a86e

                  SHA256

                  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

                  SHA512

                  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\MEMZ.exe
                  Filesize

                  12KB

                  MD5

                  a7bcf7ea8e9f3f36ebfb85b823e39d91

                  SHA1

                  761168201520c199dba68add3a607922d8d4a86e

                  SHA256

                  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

                  SHA512

                  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\MEMZ.exe
                  Filesize

                  12KB

                  MD5

                  a7bcf7ea8e9f3f36ebfb85b823e39d91

                  SHA1

                  761168201520c199dba68add3a607922d8d4a86e

                  SHA256

                  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

                  SHA512

                  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\MEMZ.exe
                  Filesize

                  12KB

                  MD5

                  a7bcf7ea8e9f3f36ebfb85b823e39d91

                  SHA1

                  761168201520c199dba68add3a607922d8d4a86e

                  SHA256

                  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

                  SHA512

                  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\MEMZ.exe
                  Filesize

                  12KB

                  MD5

                  a7bcf7ea8e9f3f36ebfb85b823e39d91

                  SHA1

                  761168201520c199dba68add3a607922d8d4a86e

                  SHA256

                  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

                  SHA512

                  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\MEMZ.exe
                  Filesize

                  12KB

                  MD5

                  a7bcf7ea8e9f3f36ebfb85b823e39d91

                  SHA1

                  761168201520c199dba68add3a607922d8d4a86e

                  SHA256

                  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

                  SHA512

                  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\MEMZ.exe
                  Filesize

                  12KB

                  MD5

                  a7bcf7ea8e9f3f36ebfb85b823e39d91

                  SHA1

                  761168201520c199dba68add3a607922d8d4a86e

                  SHA256

                  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

                  SHA512

                  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

                  Download Submit
                • C:\note.txt
                  Filesize

                  218B

                  MD5

                  afa6955439b8d516721231029fb9ca1b

                  SHA1

                  087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

                  SHA256

                  8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

                  SHA512

                  5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

                  Download Submit
                • memory/2192-300-0x0000028347920000-0x0000028347930000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2192-318-0x0000028348100000-0x0000028348110000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2192-337-0x0000028347AB0000-0x0000028347AB1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2192-339-0x0000028347AF0000-0x0000028347AF2000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/2192-341-0x000002834C420000-0x000002834C422000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/2192-342-0x000002834C490000-0x000002834C492000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/2192-361-0x0000028347D10000-0x0000028347D12000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/2192-364-0x0000028347AB0000-0x0000028347AB1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2192-368-0x0000028347A60000-0x0000028347A61000-memory.dmp
                  Filesize

                  4KB

                  Download