8c050ced0160c414ea47478bf368c6ff8e7a59b111280fd5a24403521b5e8bf9

Analysis

max time kernel
365s
max time network
400s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/05/2023, 16:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

images (58).jpg
Size

11KB
MD5

dc35a54382642a688bee7407793507a1
SHA1

dfcf1e42694c989d68ea40eaab7c6bb432e3aae1
SHA256

8c050ced0160c414ea47478bf368c6ff8e7a59b111280fd5a24403521b5e8bf9
SHA512

75db6c836cf4a457f4ecae76597103104cf60c227ba83429199c296e4b907398340198f1e93cb63a3c4b2f73a4d7558de54e2f7d1d0122d4d165f8c1ef7570c2
SSDEEP

192:Gx9BnLaNx3FVSoAIDdlno6YbNvAelXqwqhdCPd+YE9MCsvmBDRHzbHlsbFyChEv6:uHUFwoo6cNvAelXihEPd+YLvm/MFphEi

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\gitignore_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\md_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\gitignore_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.gitignore\ = "gitignore_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\gitignore_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.md\ = "md_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\md_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\gitignore_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\md_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\md_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.md	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\gitignore_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.gitignore	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\gitignore_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\md_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
3056	rundll32.exe
2248	rundll32.exe
2800	rundll32.exe
2896	rundll32.exe
824	rundll32.exe
2908	rundll32.exe
3036	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2624	AUDIODG.EXE
Token: 33	2624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2624	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2720	AcroRd32.exe
2720	AcroRd32.exe
2788	AcroRd32.exe
2788	AcroRd32.exe
2788	AcroRd32.exe
1696	AcroRd32.exe
1696	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2720	1508	rundll32.exe	67
PID 1508 wrote to memory of 2720	1508	rundll32.exe	67
PID 1508 wrote to memory of 2720	1508	rundll32.exe	67
PID 1508 wrote to memory of 2720	1508	rundll32.exe	67
PID 3056 wrote to memory of 2788	3056	rundll32.exe	69
PID 3056 wrote to memory of 2788	3056	rundll32.exe	69
PID 3056 wrote to memory of 2788	3056	rundll32.exe	69
PID 3056 wrote to memory of 2788	3056	rundll32.exe	69
PID 808 wrote to memory of 1696	808	rundll32.exe	75
PID 808 wrote to memory of 1696	808	rundll32.exe	75
PID 808 wrote to memory of 1696	808	rundll32.exe	75
PID 808 wrote to memory of 1696	808	rundll32.exe	75
PID 3036 wrote to memory of 1580	3036	rundll32.exe	99
PID 3036 wrote to memory of 1580	3036	rundll32.exe	99
PID 3036 wrote to memory of 1580	3036	rundll32.exe	99
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 1580 wrote to memory of 2292	1580	firefox.exe	100
PID 2292 wrote to memory of 2840	2292	firefox.exe	101
PID 2292 wrote to memory of 2840	2292	firefox.exe	101
PID 2292 wrote to memory of 2840	2292	firefox.exe	101
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102
PID 2292 wrote to memory of 556	2292	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\images (58).jpg"
1⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1340,i,18300949377405019811,2985174173996813982,131072 /prefetch:2
1⤵
PID:1400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:2
1⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1340,i,18300949377405019811,2985174173996813982,131072 /prefetch:8
1⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2164 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:1
1⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2188 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:1
1⤵
PID:2104

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:2
1⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3684 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:1
1⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3944 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4012 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=4092 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:1
1⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4480 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:1
1⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=4628 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:1
1⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=5028 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:1
1⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:1260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\README.md
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2896

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\README.md
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2908

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\README.md
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2800

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\.gitignore
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2248

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\README.md
1⤵
- Modifies registry class
PID:2320

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\README.md
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\README.md
1⤵
- Modifies registry class
PID:2844

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\WindowsTrojan\Makefile
1⤵
- Modifies registry class
PID:2364

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\WindowsTrojan\Makefile
1⤵
- Modifies registry class
PID:2032

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\WindowsTrojan\Makefile
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\WindowsTrojan\Makefile"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2720

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\README.md
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\README.md"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:3048

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\.gitignore
1⤵
- Modifies registry class
PID:2980

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\NyanMBR\Makefile
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:808
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\NyanMBR\Makefile"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1124 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1304,i,11041019413246245856,15687077216786274419,131072 /prefetch:8
1⤵
PID:2336

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan (6).zip\MEMZ-master\README.md"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan (6).zip\MEMZ-master\WindowsTrojan\Makefile
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan (6).zip\MEMZ-master\WindowsTrojan\Makefile"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan (6).zip\MEMZ-master\WindowsTrojan\Makefile"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.0.419350208\650980620" -parentBuildID 20221007134813 -prefsHandle 1176 -prefMapHandle 1168 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d63eef82-8673-498e-b8de-1ed57f116e7b} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 1252 12ea7e58 gpu
      4⤵
      PID:2840
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.1.141251988\2082037342" -parentBuildID 20221007134813 -prefsHandle 1444 -prefMapHandle 1440 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5df81c2-ca89-4702-839a-de475b91ab82} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 1456 e73458 socket
      4⤵
      PID:556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.2.1449583407\1331458404" -childID 1 -isForBrowser -prefsHandle 1916 -prefMapHandle 1756 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20be0da0-c7ef-46df-978e-2176c3bed14d} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 1876 199eb858 tab
      4⤵
      PID:2496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.3.253675188\241978251" -childID 2 -isForBrowser -prefsHandle 2780 -prefMapHandle 2776 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {718b3d07-da3d-46c4-af96-34389aaea2ee} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 2792 1bb82858 tab
      4⤵
      PID:2304
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.4.359432453\1624950122" -childID 3 -isForBrowser -prefsHandle 3300 -prefMapHandle 3296 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c5c55ba-fc07-4211-aef2-e2faa1f6790b} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 3280 19969358 tab
      4⤵
      PID:3252
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.5.1081036078\2097095694" -childID 4 -isForBrowser -prefsHandle 3416 -prefMapHandle 3404 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0046ca1-46b2-458c-91cc-d1d3b53cffb9} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 3432 1b2b9258 tab
      4⤵
      PID:3260
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2292.6.1494271488\859950035" -childID 5 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42880b58-e5ab-4e00-9807-4b0b91663c81} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" 3616 1e030558 tab
      4⤵
      PID:3292

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan (6).zip\MEMZ-master\.gitignore"
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
47KB

MD5
c31e52bf196d6936910fa3dff6b6031e

SHA1
405a89972d416d292b247fd70bbc080c3003b5e6

SHA256
8b47e773a782361209f8adacc8d6aeefb595e1c13ae6813df7de01c20a15c91e

SHA512
a5335c7d3beafdefa6cb1a459736615ca0151fa2e64dafb78de65aa4b924068ad0dc55c70a5317be19edeb899f94ea02e2e54279933b87828ebe86ef95f13291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
01da647c0db6b6d969ffe75ef118297a

SHA1
efe42ee2fd48a8c09c7b677615a3453ba5faf715

SHA256
5189f3dd7ff48e3d6acf4ac2a1b8d8f6e2844cc153b43403e1657686a8d4ac5a

SHA512
9204797eacabcd6b9dcb414944a0c8b03b962f7ffb17585d6016321a9dd472d2064f98112f6956c2febea3a49710ad7cf6784cec2d458c19829bd56ebd45fe19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
62995b27b42c10e8b78ed2321332aa05

SHA1
a5150c80526fff164624d791163d4f9248817583

SHA256
5957c4591aa87d6bf3b3a07c55b017da22a2188972d36108e396705f844f6166

SHA512
ea9fae5220f9d50215ef3ff5a4d4092e41fd10b234005e4cac6beff78d772eea249065695a33ae72f03cd46a171a4da6f34d22dbc58084e2bd18c5c8f6a9b013

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
eba101c05a112547c619cafca681f0a7

SHA1
f7703743e62f1f7cfce633e965da774a499d7627

SHA256
c1506c3e160739f4ea44a7361f90383f7e7d1c09d2a99fad27a2958d1f2a458c

SHA512
f6534768ad45f2c5aa12e6e1df0c1e63fa3e8c9f7b1323cb55a40024d6fc38f7ddd60f8942025fed02eb6c178343eb203acaf8ec548e0a89a0f6137a9b8ed28a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
30f0a931a10b116c1a129828365e91ac

SHA1
5f28b9a5b527c02c0b5501ab45f882880fede5f5

SHA256
bf82968c968b03c497fa05c139487fc92576d15fb8804e49b53d3a0e6521cc11

SHA512
fd465f1a7d24e1d810990f316e3188a05844977f0e993fd29866e6c8e3fbd65d706419e53de3535bcfc3dbc592bc2d21159d447c3f86b5d36cf4310af26e4151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
1577c7629c3b8b06aee0f07d474dc174

SHA1
e3940b0549907d63b09b658edc0180b1165766e8

SHA256
0e2913740bac93b176545981a8236b9d801c33aec294e4130580cf710e00b887

SHA512
f6756c347b5627a0fe8ba616d44536851153a07374ab7584fbd60f3cef727d6d006c4a76a7ca33b7500b5a4e5c0d61205916f5623eb072483791f604b766d870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
98955a5b9a67328782a29c1ae2f283e1

SHA1
bf7723096f831edaa2ff3fbbb516949dd909ba2e

SHA256
d3c79dbc667fd9fa2a7f557c37ea0b95a91b354d274de005e708a99d06132686

SHA512
9db2452e9fab1431e053660ee6b9e0f0d9f5606799aa228b01bfadea5f394853c46bd79f4098a00cca8a87d50994eebef404e096a02596a6435f9823de453ed2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tt2bc8ln.default-release\activity-stream.discovery_stream.json.tmp

Filesize
142KB

MD5
d5589152da537c3fd98361969d4d9d4c

SHA1
f232568c4e50be1f80ea65257843f52ae7e16cbd

SHA256
fec3cccdc3f34d0560629e5d48bffb95caa567d450cf2edcc37fc7d97b3052de

SHA512
8d10785b8b611c277dc86b439508281af67987df83b340585124678553e52c20482bcfc0ac9f227cc8788e775e87affebfc713c496d90d09d8de45608e4d46d4

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e3287ee1541337158cb3b14b8d51fb93

SHA1
e5b5f7e50563eb81ad3919c864ee2ff15b4c042d

SHA256
b672b2f1d603f8f0488e8023b0ee4c7b06c98ee1f6a59016a138ec85849d9caa

SHA512
738a5770e31a6549cb0a9dedf7b05a78950427e75d86ecd90206dbadebfa3e324a319ebd1b9f18dcd0c9ee8e43d73455b9aad2d1dcc6a5e2b029eed08a83ed05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tt2bc8ln.default-release\prefs.js

Filesize
6KB

MD5
9783aee15c239874b9af4984ef2e8cb3

SHA1
8c2787fc155c9932b6d8fb68cb0d8bc8ff27aa3e

SHA256
ac339fca4b30198d3ae9a6681ad0c39e6f8a77aaa21159ff3bdcf0457d5f4bd6

SHA512
315d38809616b074c78a2769741adeade46691a307f599c1937f1813af0f529a4b4fffc1ae3a542422b3a9dafcfdef41c9c8cbe7b4e6a658c520ec19d90f58e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tt2bc8ln.default-release\sessionCheckpoints.json.tmp

Filesize
212B

MD5
29ce37dc02c78bbe2e5284d350fae004

SHA1
bab97d5908ea6592aef6b46cee1ded6f34693fa2

SHA256
1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

SHA512
53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tt2bc8ln.default-release\sessionstore.jsonlz4

Filesize
909B

MD5
5d76d5e318b238777c5521b6c8f57ccd

SHA1
20fddf1e4856b1c423c2e1d07d7133023c7ee3cf

SHA256
d5debfbf96ea4af9279e5db9b0e342113610d7c6bce0080f66fc5aa2a01691ad

SHA512
62005b25d39766b9a0e4a89737369bc425e6859362dd8c17fe0fdbc8b3fc95a8c80f9836336fef387599092b2e619a5073b3adaa93291364d13cfda61b1b94b7

Download Submit