Analysis
-
max time kernel
39s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2023 08:33
Static task
static1
Behavioral task
behavioral1
Sample
memz.bat
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
memz.bat
Resource
win10v2004-20230220-en
General
-
Target
memz.bat
-
Size
13KB
-
MD5
44fbd58c401a7786da2e8b6a6291379e
-
SHA1
9dbfd08fa557d9dce79911eb4bbddb2008d4f53f
-
SHA256
d8b47727ea05305ad396977b336c3bfc86ae122cdde01976fa9b0c3a7c2d3f24
-
SHA512
c369f749ba3ef4e463524b3483c4250311c2a19414a49dc86c052cac9c9d0a3b05dbdbf71b854ccf6f46abc46e439f9264c7672e22a0c3004b7d679e26a56de3
-
SSDEEP
192:vOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:vVODaDSHMql3yqlxy5L1xcjwrlz3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exeMEMZ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation MEMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Executes dropped EXE 7 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 3724 MEMZ.exe 4400 MEMZ.exe 3384 MEMZ.exe 3660 MEMZ.exe 2304 MEMZ.exe 4596 MEMZ.exe 4252 MEMZ.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 4400 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe 3384 MEMZ.exe 3384 MEMZ.exe 3660 MEMZ.exe 3660 MEMZ.exe 3384 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe 3384 MEMZ.exe 4596 MEMZ.exe 4596 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe 3384 MEMZ.exe 2304 MEMZ.exe 3384 MEMZ.exe 3660 MEMZ.exe 2304 MEMZ.exe 3660 MEMZ.exe 2304 MEMZ.exe 2304 MEMZ.exe 3384 MEMZ.exe 4400 MEMZ.exe 3384 MEMZ.exe 4400 MEMZ.exe 4596 MEMZ.exe 4596 MEMZ.exe 2304 MEMZ.exe 3660 MEMZ.exe 2304 MEMZ.exe 3660 MEMZ.exe 2304 MEMZ.exe 4596 MEMZ.exe 2304 MEMZ.exe 4596 MEMZ.exe 3384 MEMZ.exe 3384 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe 2304 MEMZ.exe 2304 MEMZ.exe 3660 MEMZ.exe 3660 MEMZ.exe 2304 MEMZ.exe 2304 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe 4596 MEMZ.exe 4596 MEMZ.exe 3384 MEMZ.exe 3384 MEMZ.exe 3384 MEMZ.exe 4596 MEMZ.exe 4596 MEMZ.exe 3384 MEMZ.exe 2304 MEMZ.exe 2304 MEMZ.exe 4400 MEMZ.exe 4400 MEMZ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 520 taskmgr.exe Token: SeSystemProfilePrivilege 520 taskmgr.exe Token: SeCreateGlobalPrivilege 520 taskmgr.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
taskmgr.exepid process 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe -
Suspicious use of SendNotifyMessage 28 IoCs
Processes:
taskmgr.exepid process 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe 520 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MEMZ.exepid process 4252 MEMZ.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.exeMEMZ.exeMEMZ.exedescription pid process target process PID 2488 wrote to memory of 2448 2488 cmd.exe cscript.exe PID 2488 wrote to memory of 2448 2488 cmd.exe cscript.exe PID 2488 wrote to memory of 3724 2488 cmd.exe MEMZ.exe PID 2488 wrote to memory of 3724 2488 cmd.exe MEMZ.exe PID 2488 wrote to memory of 3724 2488 cmd.exe MEMZ.exe PID 3724 wrote to memory of 4400 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 4400 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 4400 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 3384 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 3384 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 3384 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 3660 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 3660 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 3660 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 2304 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 2304 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 2304 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 4596 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 4596 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 4596 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 4252 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 4252 3724 MEMZ.exe MEMZ.exe PID 3724 wrote to memory of 4252 3724 MEMZ.exe MEMZ.exe PID 4252 wrote to memory of 4216 4252 MEMZ.exe notepad.exe PID 4252 wrote to memory of 4216 4252 MEMZ.exe notepad.exe PID 4252 wrote to memory of 4216 4252 MEMZ.exe notepad.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\memz.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\cscript.execscript x.js2⤵PID:2448
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4400 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3384 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3660 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4596 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵PID:4216
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:520
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ba855 /state1:0x41c64e6d1⤵PID:4896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4KB
MD5214f98cb6a54654a4ca5c456f16aed0a
SHA12229090d2f6a1814ba648e5b5a5ae26389cba5a0
SHA25645f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037
SHA5125f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
11KB
MD51882f3dd051e401349f1af58d55b0a37
SHA16b0875f9e3164f3a9f21c1ec36748a7243515b47
SHA2563c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0
SHA512fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf
-
C:\Users\Admin\AppData\Local\Temp\x.jsFilesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
C:\Users\Admin\AppData\Local\Temp\z.zipFilesize
8KB
MD563ee4412b95d7ad64c54b4ba673470a7
SHA11cf423c6c2c6299e68e1927305a3057af9b3ce06
SHA25644c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268
SHA5127ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7
-
C:\Users\Admin\AppData\Local\Temp\z.zipFilesize
8KB
MD563ee4412b95d7ad64c54b4ba673470a7
SHA11cf423c6c2c6299e68e1927305a3057af9b3ce06
SHA25644c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268
SHA5127ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
memory/520-324-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-325-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-326-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-330-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-331-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-332-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-333-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-334-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-335-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB
-
memory/520-336-0x0000022026470000-0x0000022026471000-memory.dmpFilesize
4KB