7d510c591ea3fe3dd0ba019963f2ae41ce6b22fcef13d979f6cfa2920eb87fb9

Resubmissions

27/01/2024, 17:37

240127-v7bjtsggh4 3

27/01/2024, 17:33

27/01/2024, 17:23

27/01/2024, 17:17

27/01/2024, 17:07

27/01/2024, 17:00

27/01/2024, 16:56

27/01/2024, 16:51

Analysis

max time kernel
435s
max time network
439s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Верена-Вермут-Забранената-жена-Преживяно.pdf
Size

5.5MB
MD5

e8e518d9a22374ddcb271650017cf2c4
SHA1

7fe3dedb6df963944fec6ce87a3c5e2b83a37826
SHA256

7d510c591ea3fe3dd0ba019963f2ae41ce6b22fcef13d979f6cfa2920eb87fb9
SHA512

b31059e623ee4ecf10c52fc94b0793cb6b8fbbeeb4a81383c15386965b6ce72dc22863b3a2544229d6b2b8c35554b298b5dc6172e4d3978f2806fcee6de9d609
SSDEEP

98304:cLn/fhzkxlBUKvImbgB2vYH95Wl7CxS9bunt9RzXtFzGkXfJEy5UCtahfS:0/t4lBUKvImbgBkYHKhvszXBEAgS

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 8 IoCs

pid	Process
3448	MEMZ.exe
540	MEMZ.exe
800	MEMZ.exe
2644	MEMZ.exe
2992	MEMZ.exe
1608	MEMZ.exe
2248	MEMZ.exe
4824	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
84	raw.githubusercontent.com
85	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4856	taskkill.exe
2504	taskkill.exe
2648	taskkill.exe
1632	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133508489979686151"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
800	MEMZ.exe
800	MEMZ.exe
800	MEMZ.exe
2644	MEMZ.exe
800	MEMZ.exe
2644	MEMZ.exe
2644	MEMZ.exe
800	MEMZ.exe
2644	MEMZ.exe
800	MEMZ.exe
2992	MEMZ.exe
2992	MEMZ.exe
800	MEMZ.exe
2992	MEMZ.exe
800	MEMZ.exe
2992	MEMZ.exe
2644	MEMZ.exe
2644	MEMZ.exe
1608	MEMZ.exe
1608	MEMZ.exe
2644	MEMZ.exe
2644	MEMZ.exe
2992	MEMZ.exe
2992	MEMZ.exe
800	MEMZ.exe
800	MEMZ.exe
2248	MEMZ.exe
2248	MEMZ.exe
800	MEMZ.exe
800	MEMZ.exe
2992	MEMZ.exe
2992	MEMZ.exe
2644	MEMZ.exe
2644	MEMZ.exe
1608	MEMZ.exe
1608	MEMZ.exe
2644	MEMZ.exe
1608	MEMZ.exe
1608	MEMZ.exe
2644	MEMZ.exe
2992	MEMZ.exe
800	MEMZ.exe
2992	MEMZ.exe
800	MEMZ.exe
2248	MEMZ.exe
2248	MEMZ.exe
800	MEMZ.exe
2248	MEMZ.exe
800	MEMZ.exe
2248	MEMZ.exe
2992	MEMZ.exe
2992	MEMZ.exe
2644	MEMZ.exe
2644	MEMZ.exe
1608	MEMZ.exe
1608	MEMZ.exe
2644	MEMZ.exe
1608	MEMZ.exe
1608	MEMZ.exe
2644	MEMZ.exe
2992	MEMZ.exe
2992	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2624	AcroRd32.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe
2124	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2624	AcroRd32.exe
2624	AcroRd32.exe
2624	AcroRd32.exe
2624	AcroRd32.exe
2624	AcroRd32.exe
2936	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 592	2160	chrome.exe	98
PID 2160 wrote to memory of 592	2160	chrome.exe	98
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 1048	2160	chrome.exe	99
PID 2160 wrote to memory of 2032	2160	chrome.exe	100
PID 2160 wrote to memory of 2032	2160	chrome.exe	100
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101
PID 2160 wrote to memory of 1928	2160	chrome.exe	101

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Верена-Вермут-Забранената-жена-Преживяно.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff816f29758,0x7ff816f29768,0x7ff816f29778
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:2
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4968 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5584 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3108 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5824 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3460 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5884 --field-trial-handle=1912,i,7242537229977761357,12501244031046791380,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  PID:3448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2560

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4788
- C:\Windows\system32\taskkill.exe
  taskkill / f / im MEMZ.exe
  2⤵
  - Kills process with taskkill
  PID:4856
- C:\Windows\system32\taskkill.exe
  taskkill /im/MEMZ.exe
  2⤵
  - Kills process with taskkill
  PID:2504
- C:\Windows\system32\taskkill.exe
  taskkill /?
  2⤵
  - Kills process with taskkill
  PID:2648
- C:\Windows\system32\taskkill.exe
  taskkill /f /im MEMZ.exe
  2⤵
  - Kills process with taskkill
  PID:1632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1684

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:540
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:4824
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:808

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3916855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
817eae9bd04dd57d2cdcdd0bf9eeaa02

SHA1
6ef87e7d4725ecbcdf69c55f75a7fdbc5f09f626

SHA256
61236a44e99309f9f4f83e9d41facae7d1935407b43c3bd7b37428b04f5948d7

SHA512
88264ded9ea05c6f986c35e6298682698bdea901e308aeef210e2f9c2d5c024fc96bca463625caa55aa05b7f467382a1aa15538fab33faa2e5e695fc357b7975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
84486aa8397cec4591e861e6f931e595

SHA1
df1d000faa353f595d2282e952b19a3866dad9fc

SHA256
f0dcc93570e117fc5424824a02805cb5cd77952b33d3278f9f3c95120dc3d5e1

SHA512
4f6c17837e102baa2df7f8d77dd63483b2e643b1631d946277652479356dcee99d5eef7224c131230888a995f423ad49a315981f5b8adf0b552d3668a75cb4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2c55e06849f56a42b2e41a02eef14ebc

SHA1
a737c651c146f17eab7fc8f68e0a126edea3c0ef

SHA256
6641add60d6d6ab5a59460f5e07d755ac1908a0db348c1f2f77437ae5de339e8

SHA512
63b7954ab31813afe7f40299f110a01e5b148676b53e2a686e02f279af93b6d0e41bf47fc06777ec31de26a5d5f32231409d2d638d921d62568bab08654aa99f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
6339b50867bdf2de424b0f6cfb449c99

SHA1
ad0d45ef56fb9ab3efd89a90ab249c534d6b22b9

SHA256
44191e43b547a93e305eb61adfed28594e44244048597603023a6d63390ff99c

SHA512
3aaa4627bb76fbb0f5ce983305b82133a7f93e4256468d91fc28206a78168d4a8c6dfcddb97d7b5be0549772f92d524f03852e172e645f45ccdae24c3da35354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d2651e5da09c211dbcee76c3cf967b2f

SHA1
c16cdbaf584711ca6d5dd603247b2986f8e5adbe

SHA256
e0224495139209782ff6778fe9fd7482f8b55ab093011f404100a4f24e863677

SHA512
07942fe45dae7c4d94495a2783813926a5aee05c62330af82a1329d8475e24c44d39a2218091d58dd01b3c916a627231014b9ee9e244149383da47692ca443a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d9651b5337236603f1f7aec6f5a29b8b

SHA1
8db852b8bc304108c1e4c9ae7eb060e467918153

SHA256
f8bf46fa407a828f0bc40bbb592b72e49ad920a3b2762862db8f38adf8d3f092

SHA512
42459d10e98a2cfa32a4063d59c649de573b5c565d8ea717e89e12d75ebf2aab31882eb2447d99b98f193cc455cb4a4559c42dcb220d6672b44314cc2edfb6c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c4a60f7ebc568394cca0f9bff611731c

SHA1
bc4ee81fc6c5cb119eaa24f707a0148c3522f7ab

SHA256
b0a31424b76e084c263914484b6334371f7762fe2624c2f66260dbadc2dedcc6

SHA512
56a2ac8225f10b4eeed146520359655df02dffcce534579198fd8cc415b99ea33f1962158fcd8061e0639860cbb339cce69f8a95909e1b47accb5d428edccc34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b27a191bd95efdda8c113e94ee2b391b

SHA1
7919bc07e85ee858cd2da6a57904117054756e4d

SHA256
7a01565b6c6ade4d5e50371381f6de86f5a068216bda0936faecbbdf8c1b2d62

SHA512
7092dea192031e7c883ef0a9e12432fad59f6b598c9c35cc12805c2916ca6dea072b37f985e1ea467f6a71cb2621dad8d0ec4aa0a49cbc7cadd9aa11df0750d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4cc30c009ce43f5f67703a87359a47b6

SHA1
43e0180890c2360de0d389ebf3bf1207a60d61de

SHA256
8874351c53c38e0c978daeba625c5f3207cbee6ad7f8b6b7f70cf5c6ef77538c

SHA512
241cfe0ba9540c1ed08e21885be8e657ff24939a9060963269f4c96b521a01fccd6e1050fad3a6952f75997a843dd8d7a232767480ace07890ebe6b6e260e922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
5e20372cf84c8bd3b7d708136ab28244

SHA1
7dfab27ce767e80c195ece02ad934603ebf532f8

SHA256
6e35f5d36174200c3a28b6e3b7fc6139b3f90bd740bfaa05ee476053d384fe91

SHA512
44f66571f475fec50a389f4104dc2b1d0ea05672b6fcbc727d901df7324f830a6040677762469640e063ce5724f6a6ac836454dcbf5cb0ce03ea86347946ad5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f966d57ab6906b8e421fc3836fe02591

SHA1
0a181c822efff137db28a67e717bed53a8f64e78

SHA256
4367e9f88f87dda39833eb1f44c4d75a76a8188ad39b8ff4a4599400eabae6fc

SHA512
af38a07774a84fec368234206b6d3d4fc45c8ee6e760698a3a1c05e4a604077997368536b7e4ddfe70aff192177bb004fe1078a723ae21f01744b27dac5a0480

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
f8a22853bdc4903b971bb7c6e649425e

SHA1
e45db73ec39fc0e23ef8bb9436d8d5d4480044d7

SHA256
228504ab285db2c83cf46fdc16a6e7735509b65a0cb31a90c91e6490bf2dbbce

SHA512
66a582d0b4f9c88be32ab7383734da602a47ed3fd04be6fbde970b86d1b9b9201a3e819324f1b44ba04a801ff178cf06d8093874865a1fe71332741380083cc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580cad.TMP

Filesize
96KB

MD5
36c7f0a96ae8fe948d1dba637eb7dd49

SHA1
fd32a4c8ec4f4646a711c84ee4ce33b044c4f6aa

SHA256
59bfd9d30d68fe5c55c6fd755f650e71c188b7b8948530f071532317044e1c14

SHA512
adf5058c90e9df4014ecdc4e1da55e5305343db8dda3bf560e34e8212e701a1c2dba042574beebea666f62928aaff3d242f90a615dea791709a66812c4b40b06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2124-397-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-396-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-395-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-407-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-406-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-405-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-404-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-403-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-402-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download
memory/2124-401-0x0000021296570000-0x0000021296571000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads