Overview

overview

7

Static

static

3

MEMZ.exe

windows7-x64

6

MEMZ.exe

windows10-2004-x64

7

Resubmissions

05-05-2023 12:47

230505-pz63waaf24 7

04-05-2023 21:52

230504-1q4f6sfd43 8

04-05-2023 20:56

230504-zrfwtsha3v 7

04-05-2023 20:51

230504-znmvzagh9t 7

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2023 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMZ.exe

  • Size

    16KB

  • MD5

    1d5ad9c8d3fee874d0feb8bfac220a11

  • SHA1

    ca6d3f7e6c784155f664a9179ca64e4034df9595

  • SHA256

    3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

  • SHA512

    c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

  • SSDEEP

    192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:908
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:904
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1724
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1992
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1004
    • C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:772
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1744
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1916
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2f4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1728

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      0afefe8f1a83be192cf699166acf4dee

      SHA1

      b5ebddbc1c039a40e4281c3d05871eb3545986a6

      SHA256

      423365cf3f97a1e5a17f27cb3897cc35c638ec1332bb4aaa6ee8745be6e98512

      SHA512

      2e413030743a18ee076f4cd2f18793812d0761191918fafedaefdf7903e81bc388dfe22276ebf88a4d5da101bb0303dcaf34ec88b58cd40321208d1be9acd7c0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      bfcaad45c773ff051dd9e9aa76b3d97e

      SHA1

      ae34e753cc3323ccbd86ead18ce8c8581652b5e8

      SHA256

      8e1b883e0c77984f7ca483414219eedf86da99ed42c90526094bf4cbfbfc99c5

      SHA512

      d95d3ab54a92019b54cebaca6dcf14b34a6a663d8025062c0cb1bc1e046ea41d0ff4eb1d2365af674a7f1c23efed2dd20bceeb27880eabfcd0aac620e5d6174a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      bfcaad45c773ff051dd9e9aa76b3d97e

      SHA1

      ae34e753cc3323ccbd86ead18ce8c8581652b5e8

      SHA256

      8e1b883e0c77984f7ca483414219eedf86da99ed42c90526094bf4cbfbfc99c5

      SHA512

      d95d3ab54a92019b54cebaca6dcf14b34a6a663d8025062c0cb1bc1e046ea41d0ff4eb1d2365af674a7f1c23efed2dd20bceeb27880eabfcd0aac620e5d6174a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d4305dedc702b9bdadad643e26bb4c8f

      SHA1

      be5e2b5eb172a3e06b667243ada3307c25a12d79

      SHA256

      2a0f87940697054cdf0536b51f30a3525998bb02aed9db6d224baaf21e5140e9

      SHA512

      b1381b3a17ee5806f428f7f9fa3cc0777663ed4e36f172b95224abb96413f451773ba44e7ab90b18d418055d94a9c63b18c7494598f853798e73e11662fd40a8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a58885dcca1a93b35e0920bd2568cb62

      SHA1

      9ddd279b7ddb9a17a1766de28a612d1918ee4478

      SHA256

      1ee71f605aa1eca9a618d3c35790b22fab3dacdcaed71ba2d77272e8f37a2685

      SHA512

      738dd2ba710d75e2d611341c10e74d71090ec55d034e0e8eec5884af2c106b3eae26681f9a32c49160dfa7f031b103f23775be517165848cbd22768ad4d7ff02

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fc750af8d67d7ef9c3efe5b53a550bc4

      SHA1

      0359392d848852cfcf41277d7a44fad464f6ac70

      SHA256

      2c4c8f8fb3d6e8db05a1fe4ed46484d542dcd498bf8ccfa306a4d35f9fd634bb

      SHA512

      a9e66075d209a194bcc38d20033c179c2f6b1ee1b0ae95526305fa209075c38bb6f90c29fcfe5d5f5409c7bcee6f347c3383c8630cf452005f12f983eb72f608

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      017f2c34bc9a8c95ddcab210c7762520

      SHA1

      09884951aec2e4610fc88704e8135dd78ca7a783

      SHA256

      aa0c3735ed2c675c61993f4e9651ea4e14f3732fd38869ff45990f9ec64b61a9

      SHA512

      6351a15560bd8e7b8f65d12566d7e6a9c2e72169034fd8fd47507fd3a3024b648e20a687e1d91ee3550207f2bb6bd017bcd57ca91e1ea81650d56fb80b268b15

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      dcc9989619fe02dfe8d0db8691033b58

      SHA1

      bb81fa454b635b2133488ba7f930bb0e66593594

      SHA256

      51597729edb801da2746ba7f8f56c3a6bfddfdb19d2499f433453bffe26c2f9e

      SHA512

      6f4270f2bd4f7b45e192bdf867af84920f1ff2f99fe593814500fe0f2f889b7f4e5910a22804d5c4391a9e4f5acdfa81f14831a59b26f5b58b115e1c27792f9f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7e5c1371a91385c3feb98a626ad6c577

      SHA1

      4166f4870290838eb7524fe0eab2351aefb8d9d3

      SHA256

      28b19a43ac4599d220f57c9d5c3227caaf9e1aa6b4e4fba4ca8b31f9044a5a9a

      SHA512

      c9115993c572be83adf70549c8e986513827f5bf1f1c3777ce87f95fb03df08af3662844e6fefc9f84f96afb75740be17570bebb81a9eb645e3dd6c7685916b2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      dd62f12ed9fe024d24b13a0c11594f66

      SHA1

      0799374e782c087700b8a860d1f8ea525fbfd7b7

      SHA256

      57d4ef9df1365abb195b7f8118a5c68365df61597d9921989171d7b187eae03d

      SHA512

      94df817aee47ca5377588bb0d3be63785c116c32ea62d76c8782066ccf8f8d52e0cd9b686be3bb1b1cc61333239cf7014d9612d8407040b1e61201c4bf4516cd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fa7261fefa2b06e5a083c0d83ae250b1

      SHA1

      c87e81427685279462de63b14211ccfadcbeabac

      SHA256

      f60612a7df2e5bfb21aa55b43cdb65c95f873330d778d95711e16066a98cfe99

      SHA512

      defeb8e97a86837cd57e3f62d42bc76415d7ab5ea9d59a5695992ab1cf44198b9e97bd0d5aff07c6b10f1069177a80a7b0ba6d40ee42d83fb9693f680bf06d54

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\x4s3ygl\imagestore.dat
      Filesize

      9KB

      MD5

      d17b031ddc356e3737a5f3034f989140

      SHA1

      cef85db375a009d13b81ceff9edcdb15e47436f8

      SHA256

      a6325211012d3cbb3717f68d8a369c454edabe3fd343e18245d84e090b012a8b

      SHA512

      43dd233df97a27a11770e300a564adfbd587d53a4c61f39186f199532d26f7c4fe609bf46afa74784a45eb455ab686b82bdd6405add17c871699b2f067e0419e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYTOKVEV\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2EIRHNV\favicon[2].ico
      Filesize

      5KB

      MD5

      f3418a443e7d841097c714d69ec4bcb8

      SHA1

      49263695f6b0cdd72f45cf1b775e660fdc36c606

      SHA256

      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

      SHA512

      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab3ED7.tmp
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar3ED9.tmp
      Filesize

      161KB

      MD5

      73b4b714b42fc9a6aaefd0ae59adb009

      SHA1

      efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

      SHA256

      c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

      SHA512

      73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar4096.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NNVIEP2M.txt
      Filesize

      608B

      MD5

      2af86a0036d25e46d2789f269a585574

      SHA1

      d6c926fe7c9e61cf5632938498de5e786ebfe643

      SHA256

      cf5c52fa18b24dcdf2dd68a0fb98f4ab43c755877f93f34495ef250e54e366de

      SHA512

      6b8abc3837bd3a469654d3762b155e561da89c08cbdb38f48fc22c71beffc067a1fc9a12b548785f9bf5197caf694f7ba3c5311192514d308d8548632f502a93

      Download Submit

    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit