Overview

overview

7

Static

static

1

MEMZ.exe

windows7-x64

6

MEMZ.exe

windows10-2004-x64

7

Resubmissions

05-04-2023 01:27

230405-bvfhgada5y 7

05-04-2023 01:24

230405-bsjr4sbb43 7

05-04-2023 01:18

230405-bn2gcsda3w 7

05-04-2023 01:16

230405-bnbwpsba84 7

05-04-2023 01:13

230405-blke3aba73 7

28-12-2022 04:22

221228-ezgswahd79 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2023 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMZ.exe

  • Size

    16KB

  • MD5

    1d5ad9c8d3fee874d0feb8bfac220a11

  • SHA1

    ca6d3f7e6c784155f664a9179ca64e4034df9595

  • SHA256

    3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

  • SHA512

    c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

  • SSDEEP

    192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2032
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1184
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1988
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:680
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:588
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:1368
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=what+happens+if+you+delete+system32
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2036
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1144
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2fc
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1548

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6a97695d22f1750a3ec3e36f59764bb8

      SHA1

      b790d4bd5bf889bc5d30ef745e13223c4fe270af

      SHA256

      3b8b660acc8d8cbe6ad9a5441d4845faf2ea075989ea5df9758586b102cae67d

      SHA512

      35669ddde2bbb3d8d3ebe423e21b1f60b19321d2bd07047eb476fd71fc132d6a838aabf5508412016a339817ac3b4181c0ab5e9aaaa2021ba33c54d3955d694e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      afb87e86b7e964041eef70c5d91e9966

      SHA1

      390d09868615be03363b3c4f75ba0be79d222fc5

      SHA256

      d8d6c8c70fa34f2e6489afe2dcc7b3eb2872509a37c710894382c4ba6a4f3c54

      SHA512

      a4d860ecbbee0db7135e931d8da67d64eeb6eb64b7b16d8080e2f2f2405abfeab63ed3a17aaa5f3bdf3b8b55b2c826a7bce9460157d45cb03e0ddbf02b87fba7

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      26b8a7ed4d0c76c1df7de929a09702c2

      SHA1

      b7292830fcbcdb0d3bc32d8506312bb377d6c2d5

      SHA256

      f26a39368aa1b1be33e889a31cc7a6aa0e5a4b0fdfd638c7ec2ac43a01592e2f

      SHA512

      435183b5421df27b2bc4b72c8d44c9ad19ddee400d228509323375243aa2ff464c3090a340b8eacbc7b1cf27d828b8eee71f1db635148781d9a6c4cb2bbfb5f2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f553be0be129767e5213b292fcef349d

      SHA1

      6181823d43ceb7e918f1ac96a325277b9f9f0b8b

      SHA256

      89c38ea9cf183df2781a35c427d61d0e6409e54c2e8ce8ff03115426e7b848d0

      SHA512

      3830f05b210cfcd4d58ad118b9016894217ed3a48850e7a7f3df1099d8a7d94e0800e7d5b971ba585f738017f1660fec4052c1fbfd0e881711269d19d468d5a2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ce58914166e27611cb9291fdb589aad8

      SHA1

      b499e1a5d90b759a89a04bd20a3867395b684620

      SHA256

      f99b8cfa01c32a7ed32d74f8203e57bd76bc2a8b3d80fd98c1382464c723faf7

      SHA512

      bbf3d69d980d5a45e98c7a0ef6283e78164f103e14b852644da2c00c5667ac160893836fff81df374bd4c51ec70a9bfc312947f9ec070bf80dbff1c4d21471b5

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f43313df1e8a23ed49ec000cceb7b40f

      SHA1

      c3adce133de5b3d78d60b7d3297236dadad7dd18

      SHA256

      fff622a5d6c13ad70f55d14f8d3b33554056dbc175f334bb2cad37f0cfce507a

      SHA512

      bdf1f34ba645143f47d48e55e4fb138cd7791f811dc36a677e56b09ed564d3fc5f4e36893a413acbe8ad3b1a0e8d144d0e28a297369fc9378f86b20b8c9ebc33

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8781d6e84885c3905fd54df7f481fadd

      SHA1

      f62cacf80d0777566be87cf60b3b5644a9babc2a

      SHA256

      7fd91b079bc08732bd2603b3a9652c95bd0b1d6c5e0f85c2a6e9081cd05990e2

      SHA512

      792217fd70a0afcd483088f111b6a84b42bf28989bc43140360de1abfdee0392f03acf4a926af839e9f0b225872cf016bf251b9a2cb8fb5698a7a5a355759b34

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\07asiie\imagestore.dat
      Filesize

      9KB

      MD5

      dcbf1a6f17ec38c2bec09bee176db49a

      SHA1

      be287556c7e1ab2ddb02f0be0bd5ff65b7877d57

      SHA256

      274ecc079059e0ed1db65040d1bb4b38dff0a898b976be6e71379a69b6a3f8af

      SHA512

      3319abfe51c082598f6f9e9f20b830654f66b0df9d0bb0959314e8967e2989c23ed66dbb6376474e49872ba43b0e49d804531c44a165ac1bb6a14a039de23794

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4D33E1QE\recaptcha__en[1].js
      Filesize

      406KB

      MD5

      d0341e93b2348180631183ce43097c5d

      SHA1

      74229ffec024c2df2138b558f3771ced36845013

      SHA256

      db20e355eec38641464097836c909673eebdadf82ace277df50847eea9e060b8

      SHA512

      14d853cbef5fec61d4f3c476b7b117f594aef8716eae289c472d5a4768acde39a43e900241d872ae1dd59ecf5752aa0aec26a6d84cfb8af438e2c04fb39046f7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\favicon[2].ico
      Filesize

      5KB

      MD5

      f3418a443e7d841097c714d69ec4bcb8

      SHA1

      49263695f6b0cdd72f45cf1b775e660fdc36c606

      SHA256

      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

      SHA512

      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TF0W5LQL\styles__ltr[1].css
      Filesize

      55KB

      MD5

      83f90c5a4c20afb44429fa346fbadc10

      SHA1

      7c278ec721d3880fbafaadeba9ee80bdf294b014

      SHA256

      952833e41ba7a4b64c31a2d7b07dde81bf5bbacf5cbb967821cfe459d0c4a0d8

      SHA512

      4f0d19678a6758e67cb82652d49ee92a3646c3b4b68b93253c3e468e88506bb8ad78942d7be244b390bdd29a0d00026ad561c040c1b557067edc7887fe7119ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabC43.tmp
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarC55.tmp
      Filesize

      161KB

      MD5

      73b4b714b42fc9a6aaefd0ae59adb009

      SHA1

      efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

      SHA256

      c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

      SHA512

      73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarE2F.tmp
      Filesize

      161KB

      MD5

      be2bec6e8c5653136d3e72fe53c98aa3

      SHA1

      a8182d6db17c14671c3d5766c72e58d87c0810de

      SHA256

      1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

      SHA512

      0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4T0IOZ3B.txt
      Filesize

      605B

      MD5

      3d137ce03d82a5a6e11e08c22d188a58

      SHA1

      745dc0f042682beb8abe4b059e1ff2d22a8c47c4

      SHA256

      37cb1b2466988d0d07d43f38aecada08df8ce51e229460570e04dc9d2b5a036d

      SHA512

      836ded4dbdade8f25bb8538fc20002d4381ed009050acc370f79d96f580c680c82c130cb6e3563c3c74207a53c596bad3a0ba10c9393b9d376afd76d1aa20a68

      Download Submit
    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit