memz[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

memz.exe
Size

8.5MB
MD5

e3499991fbc24b97fd743a3c84c5d134
SHA1

5f34817a708b3721d0c8376651a71d0ef6d4b4bd
SHA256

6573b545e2cca5dd71ee15c4a6ed808701a50947a8166ad362f2b27a54482efe
SHA512

b1b053e7fe8b2b9eb1c621ae35e508d33e0fd15958c413984ba9ef9da9355464a803e877890f0d6d141b316c44839dacf3079de31bd27b80c452ad364fa038c4
SSDEEP

49152:NymWLTsoldqbwgEaZW0G/JdUuKLonlRuv7w96xGJlb3R+b127xcLN04XEA9dcSwf:fWLTbdtk00GMjMLam8DuhyhI

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
memz.exe

Files

memz.exe
.exe windows:6 windows x64 arch:x64

336fd1a81ed63113144a5f9251203f68

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

ResumeThread
UnmapViewOfFile
CreateToolhelp32Snapshot
Process32NextW
QueryFullProcessImageNameA
CreateFileA
GetCurrentThread
Process32FirstW
RaiseException
CreateThread
GetThreadContext
CreateFileMappingA
MapViewOfFile
VirtualQuery
IsDebuggerPresent
CheckRemoteDebuggerPresent
DeleteCriticalSection
GetModuleHandleW
TerminateProcess
OutputDebugStringW
EnterCriticalSection
LeaveCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
GetSystemTimeAsFileTime
InitializeSListHead
SetLastError
FormatMessageW
GetTickCount
GetSystemDirectoryA
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
SleepEx
GetFileSizeEx
GetCurrentProcess
RtlCaptureContext
VirtualProtect
QueryPerformanceCounter
VerifyVersionInfoW
GetProcAddress
CloseHandle
GetLastError
GlobalUnlock
QueryPerformanceFrequency
VerSetConditionMask
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
FreeLibrary
LoadLibraryW
LoadLibraryA
LoadLibraryExA
ReadFile
GetTempPathW
Sleep
GetCurrentProcessId
GetModuleHandleA
GetCurrentThreadId
CreateFileW
InitializeCriticalSectionEx
VirtualAlloc
DeviceIoControl
VirtualFree

user32

GetDesktopWindow
UnhookWindowsHookEx
SetWindowsHookExA
GetSystemMetrics
GetWindowRect
GetWindowThreadProcessId
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
ReleaseDC
SetCursorPos
IsIconic
SetForegroundWindow
ReleaseCapture
RegisterClassExA
GetClientRect
SetWindowLongW
SetCursor
SetCapture
BringWindowToTop
UnregisterClassA
SetLayeredWindowAttributes
CreateWindowExA
DefWindowProcA
GetForegroundWindow
GetMonitorInfoA
IsChild
ClientToScreen
SetWindowLongA
GetCapture
ShowWindow
WindowFromPoint
SetWindowTextW
ScreenToClient
EnumDisplayMonitors
MonitorFromWindow
SetWindowPos
GetDC
DestroyWindow
LoadCursorA
GetKeyState
GetWindowLongW
UpdateWindow
PeekMessageA
TranslateMessage
FindWindowA
SetFocus
DispatchMessageA
AdjustWindowRectEx

gdi32

GetDeviceCaps

advapi32

CryptEncrypt
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
OpenProcessToken
GetTokenInformation
GetCurrentHwProfileA
RegSetKeyValueW
RegCloseKey
RegDeleteKeyW
RegCreateKeyW
RegOpenKeyW
CryptImportKey

msvcp140

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
??7ios_base@std@@QEBA_NXZ
?widen@?$ctype@_W@std@@QEBA_WD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_id
_Thrd_join
_Query_perf_frequency
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
_Thrd_sleep
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?id@?$ctype@_W@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z

ntdll

NtQuerySystemInformation
NtQueryInformationProcess
NtRaiseException
RtlInitUnicodeString
NtClose
RtlImageNtHeader
NtSetDebugFilterState

normaliz

IdnToAscii

ws2_32

setsockopt
WSASetLastError
ntohs
WSAGetLastError
closesocket
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
send
getsockopt
WSAIoctl
gethostname
htons
getpeername
sendto
recvfrom
freeaddrinfo
getaddrinfo
recv
listen
htonl
getsockname
connect
bind
accept
select
__WSAFDIsSet
socket
ioctlsocket

wldap32

ord211
ord60
ord217
ord46
ord143
ord45
ord50
ord41
ord22
ord26
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord301

crypt32

CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertOpenStore
CertCloseStore

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

d3d9

Direct3DCreate9

vcruntime140_1

__CxxFrameHandler4

vcruntime140

strrchr
memchr
memcmp
memcpy
_CxxThrowException
__std_exception_destroy
__current_exception_context
__std_terminate
strstr
strchr
__C_specific_handler
memmove
memset
__current_exception
__std_exception_copy

api-ms-win-crt-stdio-l1-1-0

fputs
__p__commode
_set_fmode
feof
__stdio_common_vsscanf
__stdio_common_vsprintf
_wfopen
_close
_fileno
_write
fseek
_read
ftell
fopen
fputc
_open
__stdio_common_vfprintf
__acrt_iob_func
fflush
_get_stream_buffer_pointers
fgets
_fseeki64
fread
fsetpos
ungetc
fclose
fgetc
_lseeki64
setvbuf
fgetpos
fwrite

api-ms-win-crt-heap-l1-1-0

free
calloc
_set_new_mode
_callnewh
realloc
malloc

api-ms-win-crt-utility-l1-1-0

srand
rand
qsort

api-ms-win-crt-filesystem-l1-1-0

_unlink
_stat64
_access
_wremove
_lock_file
_fstat64
_unlock_file

api-ms-win-crt-string-l1-1-0

strpbrk
strspn
strncpy
strcmp
_stricmp
strcpy_s
strncmp
strcspn
_wcsicmp
_strdup

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64
strftime

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_c_exit
_exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_invalid_parameter_noinfo_noreturn
__sys_errlist
_set_app_type
_beginthreadex
_seh_filter_exe
terminate
_wassert
_cexit
_crt_atexit
exit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_errno
__sys_nerr
_configure_narrow_argv

api-ms-win-crt-convert-l1-1-0

strtoll
strtol
atoi
strtoul
wcstombs

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-math-l1-1-0

cosf
acosf
_fdopen
fmodf
__setusermatherr
sinf
ceilf
sqrtf

bcrypt

BCryptGenRandom

Sections

.text
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 214KB - Virtual size: 213KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3.7MB - Virtual size: 3.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

336fd1a81ed63113144a5f9251203f68

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

msvcp140

ntdll

normaliz

ws2_32

wldap32

crypt32

imm32

d3d9

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

bcrypt

Sections

.text Size: 4.5MB - Virtual size: 4.5MB

.rdata Size: 214KB - Virtual size: 213KB

.data Size: 3.7MB - Virtual size: 3.7MB

.pdata Size: 32KB - Virtual size: 32KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 4.5MB - Virtual size: 4.5MB

.rdata
Size: 214KB - Virtual size: 213KB

.data
Size: 3.7MB - Virtual size: 3.7MB

.pdata
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB