hxxps://github[.]com/Dfmaaa/MEMZ-virus/blob/main/MEMZ[.]exe

Resubmissions

14/02/2024, 00:03

240214-acjlqsdd84 10

14/02/2024, 00:00

240214-aagpcscb5w 8

13/02/2024, 23:57

240213-3zsr5sdd36 8

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus/blob/main/MEMZ.exe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 9 IoCs

pid	Process
3232	MEMZ.exe
4768	MEMZ.exe
4496	MEMZ.exe
1548	MEMZ.exe
2512	MEMZ.exe
5072	MEMZ.exe
2532	MEMZ.exe
4372	MEMZ.exe
4048	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
46	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 625628.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3372	msedge.exe
3372	msedge.exe
1252	msedge.exe
1252	msedge.exe
4332	identity_helper.exe
4332	identity_helper.exe
3960	msedge.exe
3960	msedge.exe
2512	MEMZ.exe
2512	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
2512	MEMZ.exe
1548	MEMZ.exe
2512	MEMZ.exe
1548	MEMZ.exe
5072	MEMZ.exe
1548	MEMZ.exe
5072	MEMZ.exe
2512	MEMZ.exe
2512	MEMZ.exe
4372	MEMZ.exe
2532	MEMZ.exe
4372	MEMZ.exe
2532	MEMZ.exe
5072	MEMZ.exe
5072	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
2512	MEMZ.exe
2512	MEMZ.exe
5072	MEMZ.exe
5072	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
2532	MEMZ.exe
2532	MEMZ.exe
4372	MEMZ.exe
4372	MEMZ.exe
4372	MEMZ.exe
2532	MEMZ.exe
4372	MEMZ.exe
2532	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
5072	MEMZ.exe
5072	MEMZ.exe
2512	MEMZ.exe
2512	MEMZ.exe
2532	MEMZ.exe
2532	MEMZ.exe
2512	MEMZ.exe
5072	MEMZ.exe
2512	MEMZ.exe
5072	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
4372	MEMZ.exe
4372	MEMZ.exe
2532	MEMZ.exe
2532	MEMZ.exe
4372	MEMZ.exe
4372	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 4392	1252	msedge.exe	83
PID 1252 wrote to memory of 4392	1252	msedge.exe	83
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 2928	1252	msedge.exe	84
PID 1252 wrote to memory of 3372	1252	msedge.exe	85
PID 1252 wrote to memory of 3372	1252	msedge.exe	85
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86
PID 1252 wrote to memory of 4424	1252	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus/blob/main/MEMZ.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b8c546f8,0x7ff9b8c54708,0x7ff9b8c54718
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  PID:3232
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:2960
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:3572
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:4400
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:3216
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    PID:2088
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    PID:1012
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4156
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4496
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1548
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2512
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5072
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4372
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:4048
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays
      4⤵
      PID:384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b8c546f8,0x7ff9b8c54708,0x7ff9b8c54718
        5⤵
        
        PID:1600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed
      4⤵
      PID:1820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b8c546f8,0x7ff9b8c54708,0x7ff9b8c54718
        5⤵
        
        PID:2772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real
      4⤵
      PID:1508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b8c546f8,0x7ff9b8c54708,0x7ff9b8c54718
        5⤵
        
        PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6068 /prefetch:2
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1751080015310569633,12172901118217689098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:3876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
011193d03a2492ca44f9a78bdfb8caa5

SHA1
71c9ead344657b55b635898851385b5de45c7604

SHA256
d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0

SHA512
239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1af88b077655727a2c6a321d7108ac4d

SHA1
5dc746dc0ccb8a3cfdea804c73d70616ddd5aadf

SHA256
d49daf9c54a136079bdf2f2f3f68cdd93d9a96243c31d6b510c7bdf95274efd7

SHA512
3f592ced20a9c01f77de17ac1c6145fe9501012f8209d0fe2854172bc3740f47fefc14df6499a7b43d666dd63dd584f7960d8a03e4efca1523d0c252bef1bbed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8891ba9d3604c44827c86239d87092d2

SHA1
895ab053bb9bf4ad5a0895b543d2db011192e3ac

SHA256
5094f307ae98fd318490ea1bf3d476888dbb38bdbc2b9dbd39229f3f4352042f

SHA512
1ac9779d6fd3c8c5c5e95357c4d7030e1ca2d1075d1afcb382973f19b289a7a03acd70272d6a37de16336ef4a1b36383beb7da5844677c409886bc3a69c7ef4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
70865671c38aa709cc24bdc50779dab2

SHA1
91978040828197867a70513f598e978ea2edc486

SHA256
c1f2803b23b34de1ca25cd5b2b7e72b636cfd6d79661b9a9db1489867464805d

SHA512
aaf4608d8816bcce3db566b48150dcc2eae94ffcc11ea77c2dd69537dec2284a4a8abbdade71d09eff2212b6e23b0ac0a64b359f7f86fb1d0bf7da7da0fad5c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
454e7cd4fbb0751ffa354ec86870a258

SHA1
716d6739a2a278446c3e9c16cb72d996d042bc89

SHA256
9cbad050449dd86a473ca97a90c4b4f6076f3174f52ae515de52cb4793f3d5ca

SHA512
83e6e36c576ef32a555d6a6e3ed9fe4ad51d7681bbfcc6421c29b15cadb0bcc918e4a9d6388ca0e1a1ca750830164ef64ca8015d07a0a2b8ec81fb17c5bc6f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4abdf05c2e8193409e56f04c850d48e

SHA1
af6441e90de4b2a4fcf3ea6470dfff4ec9921ad6

SHA256
f722f113e7e434682bcab9b04c193a12aacbdfc24a5fa074489ca5e88f0a72aa

SHA512
e40bea841ca4aa08827152a947cac93cada736ea29ed066a71aa7f6715ced4540113add4b1b7889e680013b11001cfa870e1fa4f7d212ff9fbb7cfc5d86bd719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1baf45233512694e4715760316bfbb82

SHA1
e0b70fe72ed21509dc8e4ef943419679fa8ac98c

SHA256
836125c6f3a5a1f3f326d07160e3932d44d0575c13e60e0bf267ea74889e1a60

SHA512
dc1199ccf630621375b5ffdba058513100e555986ce8eb4e83ed608d002360ceade420f415452579caf47a08ea6224d1b7bc79a25919d95dc49913491cffd477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe714504364d329684aa5a2cafd4374f

SHA1
bdb53699894d3f521a4a3a229b4ac735a490f1d5

SHA256
38bafcbd962dcdf12e96358bda7af135cf92e4f36b13aa3d9b2963bfe2763095

SHA512
6eda54a410b01177123a2fa94668eb8192163ab71793cf99057565d71c2bd41052e2e992f6bdb1542e2ed31114f6aaafca0de07744a920dbfe2429a1d83bb4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5cb264d936e4ec0f300b6e0b71a898ac

SHA1
bc0c4facd6b0075d6edf50bb97252e313fba04d8

SHA256
1d73e445617e1bcbd7066cd3c5b8092b82cc68ae7e7e7de08e66f97a5e55bc83

SHA512
064d55d016bc4dd96f42184cdfb76d3c48195e05679e37a0bf9f31cece23c6ca0acc927cb97a9940d79bea98f669f7499059600a61a66fa3f8f1851c8059d83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c64f94b459b1f53a123936c321d68b2f

SHA1
4fc330e4815377f4bb26a8b069d7f7fd3bf1695c

SHA256
2258ebcbcde08c605a9e91f34f99a81580714875ebd2a98337d13b53f770db4a

SHA512
67371cbbb1049ed8644b38bfd0404239fdafc07da19950560ec17c3d9dbf0d47774cf08b0b576bf9ac566e9268750c0eb6411ab8d4330a26d6b67425f52a9729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f5b764fa779a5880b1fbe26496fe2448

SHA1
aa46339e9208e7218fb66b15e62324eb1c0722e8

SHA256
97de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d

SHA512
5bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d6c0817548a599449dbfd2db50201b1f

SHA1
590254015fb19fcc221ba8d5918a7a527c210b79

SHA256
30e5ec1882833b0d038c6032a8629de6b16a4692b495cc791575ab097b6de8ea

SHA512
8bffb7110a839ef30cc6a7306391ae62153fb30e5fff9be060c2b3c5c1c198959f7cdf759e1e34a87c98c1266950b2d6e3b32db971d01bc0f1cf90d40ef1b19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c29f.TMP

Filesize
1KB

MD5
3080c46db507eec78e36f645875f9162

SHA1
8cd8f6c24f765c700f4f1f4503bd418816fa02bd

SHA256
0677e1a27a62a8e2248ba981b6501590ee96389359c7ebeeb172013eb4134fec

SHA512
f526f042c2ad4e594970231e83b82feefd228f6f5939d165e510e63db440be81d669f6bc40b46c93c670bcc6bb4867dc324473b479d2189cddc7704dc598e9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e259f9f59fd95da4075192b409c312dd

SHA1
b05205625b0ed7130e6d61b24e555af8f47c5307

SHA256
30eb20226ffcdca7ddf68dbeb2abb58e691e90d4e8d48b4b38d35602cc71707b

SHA512
23f3adec2f3f26879628bcfeff5f26d6ce6619ff6af3130be0e6f2d99d923905efadd9df1703f106a64ff3082a4d81da8684fa343fbddbad22318caa94d739cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b697308b7e3e043c53190dd3e175a591

SHA1
87cdf4871928e1c89b32498f0ab74f447734f1b8

SHA256
e77c78b0b476b9488b5eac37015fb0a9abda5ebfcf8fffab5fc975484ca90b8f

SHA512
3d9e13624e9717b306dccbf14e7ff522e6edf1120602f7cf2a52250160d10132fec425e5907f92ee27f20041085128eee21ac91e3f4e6017f1c5805b359a44c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07b506cf7e6f97a904fa842347de89ce

SHA1
3be0ea31478dd741d496f36407e8f5683d0b9cc9

SHA256
5d9af6773b46cd2f2f7c49b7b591b6b03f3d96558a8a9a977c85307a9c6ef811

SHA512
285215a51348b3cdf4b3104b84d349d357f969c458bb6425906019902e131e1e5f1bcf9f4d574b1490b991df431a5941b5c5330b02b879b3f92c2152329a051f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4ccc2c651329fa47f264419638d6bf1c

SHA1
d0938a93a0c7cf1a404b62355bb2657fc75f1d55

SHA256
1b76a1071605ad49c0e8fdb57616117d3aaaf2e4d85b5338c90f5c6bf3ff92a1

SHA512
7282a2bbb2aaee3d7d4c2e43cd67a73a936db2ae160977579890deeed32cb0757ac4a52b29b8b764a1c2284e685d4bb1749c03f82a04340282d72cec091710da

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit