Overview

overview

7

Static

static

1

MEMZ.exe

windows7-x64

6

MEMZ.exe

windows10-2004-x64

7

Resubmissions

05-04-2023 01:27

230405-bvfhgada5y 7

05-04-2023 01:24

230405-bsjr4sbb43 7

05-04-2023 01:18

230405-bn2gcsda3w 7

05-04-2023 01:16

230405-bnbwpsba84 7

05-04-2023 01:13

230405-blke3aba73 7

28-12-2022 04:22

221228-ezgswahd79 10

Analysis

  • max time kernel
    599s
  • max time network
    423s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2023 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMZ.exe

  • Size

    16KB

  • MD5

    1d5ad9c8d3fee874d0feb8bfac220a11

  • SHA1

    ca6d3f7e6c784155f664a9179ca64e4034df9595

  • SHA256

    3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

  • SHA512

    c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

  • SSDEEP

    192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1704
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1652
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1604
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1956
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1020
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:580
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=best+way+to+kill+yourself
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1636
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2f8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1200

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d1a464409bec1fd19edcf050462329a3

      SHA1

      7b725fb3f40a4043e82b97795b850eed0a11de81

      SHA256

      098b74c5bed5de24dce6c7eac7731bc43d6e3324d20fbb9a289a12ff9903788b

      SHA512

      797aa37e74a2813e142a7b1375c60e8cda740ba8f69cc6e4419dcdc6b322ec97b2e92d1cc5ded3d8c576ae31f1df21babff3e935e84d198c393aeacb8559bdc3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7bbb0a2d49d442a45ac87e8717c16a5b

      SHA1

      42478c6214066aa1e53ddf32d8132fc7119b75e8

      SHA256

      e0fcb9bff9fbc7c321e660d0322d29be97a07dd53eeacf83d882f2a19422ba25

      SHA512

      79bfb237faf172d917a4823d090e6ce7de6867dced54a249f921a11db8853a845aaeaa7b1bd8c13ba5e45f06404040388e19ecc051184ecb4eebbff4f356577a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a34466ce6f39c2d93bfb2e13d2832617

      SHA1

      143c95d059a3a94e5b022b9b3d36b13cdccfcbd6

      SHA256

      837a4e4102754e735975d30e71b0fc7d2db31f5d88fb37415d79b620ce724277

      SHA512

      8a7e421614177993c19c111f8e818745d07f855613b91a7c0cc5082a2f50bc6a2c69378efd6436e74cfde2ab645a89f20182b8b80678fdd4c335e8b50bc2af18

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6ad50930fb57015dcdd71e86f3393c94

      SHA1

      fa7989aebd1c56e76442b7acc10bbcc40b6e49bb

      SHA256

      96260d76907e04425337efb0324c9c7f875d7ad7438e92f9d4e35e831e677e79

      SHA512

      557252d845063e3008b1f04b5a36f8a95f3539f61b317028392737775d9268df90c43a496966f933bef9ab7c5c7b539f4c43ea4ca54289f0fe054f2635a4b6cf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3a23e2887709985b32297fa2f1d03c18

      SHA1

      9804c431475d9fed47faca73b4d682bd78fa2328

      SHA256

      2bfbaf09a4d46bed6bc3412613fc343469fa9419d9281488b5a563a34347716d

      SHA512

      2178e9a0230aa99a3e13fa756a35923ff2dda7bd40b8c274d6eb892f2d8dff1c13d4814e335fe55674bf7349e4a50c1e35f6bb96a595d1c095457d3cd83196a2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      234bcb620220287590698858236b8f06

      SHA1

      a9c36d317e3f5257c1cafab31f8a2316c8f21d49

      SHA256

      81153dee35595e857b66722d7244c90207a8c270f509e645374bb06f7c91f6ad

      SHA512

      3db4c63a3f1843c22e70088a338001644f51e97bbb9e3d767e2149ec20651e5b9db9130f6b912767dbae659bf55ca61ef2118090d642b19bf02cf0a65d17e1f6

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f4204c42f4f400af5a074e619d26884d

      SHA1

      d0d6c666392b938b2cf8c8dcb014ccf5060e83b1

      SHA256

      1944b62d13f4f690ea797b3daf5a4ee29e1489b1b231699f6826f9f6669dc2a2

      SHA512

      e2f1107973cd47387b9cd048c0ae7686eccb6034c09581be00bd2239d3d9d3a79adfa8f035dff2e5e0cb881f8508ebbadf919338042f6896322fda5dba12b01c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      76d0668622d6836ab2e1ea8d733d9fe1

      SHA1

      a266c86a16a08d49821323d77391f974d4c13aa5

      SHA256

      bd793c718ec4938bbb29a0924344ca0342390ca1c9831ad39df0c0a324777c93

      SHA512

      95b85d3b60928059b47781f7ddc75599f3ec7e41bb047bf55a1907da54b00fc7b371b6866a020b2153e30bc8daf432f101b97ee1ff9c398c98bdd41bd464098b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      edf274931abbde7d4e6d3e5f0216c8d5

      SHA1

      335729e60914dcd649bdb4cc58ae6a9c6c75c69b

      SHA256

      1267b41b2dff93dadb8b380e70e6d8229a65636c8f3095da721fbf3fe8a55c8a

      SHA512

      c5dd5f2ac112f1793f269d0d49e58c1fa3ce59da3e2541a53922640fd7e318a2be9f6d242b43bcc709108b1dccb56935f9a90b1c23f60730c93122bcfbd9d457

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\x4s3ygl\imagestore.dat
      Filesize

      9KB

      MD5

      4c515eabd959ed1c7d14a9571b1d90a5

      SHA1

      bb2cc956384ce2d703559db0e9ab91dd5582cd4d

      SHA256

      744bc8b6f699a7b6756a4eb3c2f21b6e9dc42fa6ad1e510a1021b550146544d9

      SHA512

      7050cb10c1afff46ebf0c461989d4ac832080487b0845a0428b1a1039c6e34ccc5135aa0fd61a030d6b1961d85153906eed73cad43c9b8bed635583d9678cfd5

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BYN4WSI\recaptcha__en[1].js
      Filesize

      406KB

      MD5

      d0341e93b2348180631183ce43097c5d

      SHA1

      74229ffec024c2df2138b558f3771ced36845013

      SHA256

      db20e355eec38641464097836c909673eebdadf82ace277df50847eea9e060b8

      SHA512

      14d853cbef5fec61d4f3c476b7b117f594aef8716eae289c472d5a4768acde39a43e900241d872ae1dd59ecf5752aa0aec26a6d84cfb8af438e2c04fb39046f7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYTOKVEV\styles__ltr[1].css
      Filesize

      55KB

      MD5

      83f90c5a4c20afb44429fa346fbadc10

      SHA1

      7c278ec721d3880fbafaadeba9ee80bdf294b014

      SHA256

      952833e41ba7a4b64c31a2d7b07dde81bf5bbacf5cbb967821cfe459d0c4a0d8

      SHA512

      4f0d19678a6758e67cb82652d49ee92a3646c3b4b68b93253c3e468e88506bb8ad78942d7be244b390bdd29a0d00026ad561c040c1b557067edc7887fe7119ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2EIRHNV\favicon[2].ico
      Filesize

      5KB

      MD5

      f3418a443e7d841097c714d69ec4bcb8

      SHA1

      49263695f6b0cdd72f45cf1b775e660fdc36c606

      SHA256

      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

      SHA512

      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab2AEA.tmp
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar2AEB.tmp
      Filesize

      161KB

      MD5

      73b4b714b42fc9a6aaefd0ae59adb009

      SHA1

      efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

      SHA256

      c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

      SHA512

      73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar2CF5.tmp
      Filesize

      161KB

      MD5

      be2bec6e8c5653136d3e72fe53c98aa3

      SHA1

      a8182d6db17c14671c3d5766c72e58d87c0810de

      SHA256

      1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

      SHA512

      0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GVTXAA13.txt
      Filesize

      608B

      MD5

      1088dd76ba9a2bd333c01652d4d8b022

      SHA1

      2688e20c97bf30b07c379d461d08d57e4e19cac7

      SHA256

      437dcad0ba5a5afd72a1c88feda95302293ee56abe10fb1b5fa06500584ae04d

      SHA512

      4e2651ee05bc32f476b6d33ee6735d5fa760e45287561f76446a4ea90e3b360c4c2b2730e1621daacaba43e033ea23d0ef7fd376289fa0911027055842e8bf3d

      Download Submit
    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit