Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
78s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
19/02/2024, 17:12
General
-
Target
https://github.com/Dfmaaa/MEMZ-virus
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3ad246f8,0x7ffc3ad24708,0x7ffc3ad247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6288 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2804686283057191931,15535975186283234814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main2⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5011193d03a2492ca44f9a78bdfb8caa5
SHA171c9ead344657b55b635898851385b5de45c7604
SHA256d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0
SHA512239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210
-
Filesize
2KB
MD54deaa4394eb0b882c969366ee74cd623
SHA142c7f1a166b3285f590f3619267ef53269e5caf7
SHA256c7731823f36def8664f381f8faca2d7c956e4a7ce9264f2794e290c524bd6786
SHA512719a2e362d60ebb4377c3aa6a3b66fc7433b0767684ef6ed1a80196af5a44549942c65236308138aaf1558d7d65c134de6bce0893f24dc87660ccb4d5902bd53
-
Filesize
579B
MD576ce25dd0003895d216aec011fd48815
SHA182b7e4be21ebef67d9fe1b9b8025961da5a45f9a
SHA256c0098c46f84c08915e00ce0dba99fc5c119a8b277d1525335207466a7ce2f9bb
SHA5127926cd52bd8cb212c621ebee307fb85584c8f3b565daca95eaef7c8620b68d567334ab8da6b041ff975183fb984d73a84a5f0ae2b7a51c2a60a58a38cdb45f3b
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5933616222e64fb2d2434f5e96fd1614d
SHA1c94f5b662d41082495ebe54c8e6f4ef227bf3a5d
SHA2562410a4c56f830761efaf175dc3a034fe7d84bc27c825b8b7a5cf2f6680d6c471
SHA512f897d9636873f9510a34e4ddd19710e5a6f15d01e2a791b1df674fd4ce254a1916494b899826cee8af8993098e437fd28025f4326dec9c4f3ab9a1ad8db246cc
-
Filesize
5KB
MD5e69a0943af71f2968ab1e9f7aa03feec
SHA1ba4d3ba98262550b5f55208fb12c20e04e78a6c4
SHA25654549b79d3c702f57708753535c0004c01a9f84ffbcfdbad31c97819c61139ee
SHA512df08013774abe877b9532645c1dae91c524f943e106301224d26b72c21127cf6d76d6afa97b89ad1eccd53edbecb508093beeefc8075ea9860267e3c92e19ca3
-
Filesize
5KB
MD58fcd51ac8eb6f1571790f5b9b7ed17cc
SHA17acd5486890ba7cbdfe641c41b35df77463da062
SHA256784431fb152b31f4e7ddcf226663ad68c5199fa47c9ecd8bbb532ee4cf3d0dfe
SHA5127caba8ee9e37c77fd57930dd434f09411478589f6d015d7c315d2502e41435480ea874d88221fdc35311c0e21f03f5be01617cc6d0bfa360b73e565d7e6df4a7
-
Filesize
6KB
MD542930c8e9defac116e229c5d65793dac
SHA18e16d1b0e3c4490dcd681f0f9d71d42d9f875d50
SHA256fdd93b7ba4513a73404c126f4bf120c2a855d113eb2edb208500bfca2a8017c8
SHA51286545495b9b7cbaf00f0f26af824ae79fcf40047d8e912f960fd08ecbb37cf4355c258be3c3bcd46cf6c27b50bf14363ce675307847cc4f79a579c61dea48042
-
Filesize
24KB
MD5f5b764fa779a5880b1fbe26496fe2448
SHA1aa46339e9208e7218fb66b15e62324eb1c0722e8
SHA25697de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d
SHA5125bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745
-
Filesize
1KB
MD5ff86b1e69cec4215ec8eab8477faea31
SHA1cfd006de8ead0ca6ce65792b1df95cbd0bcd9e47
SHA256221e55ab755a1c7ed5f05323f99bd5c5b4ba9a4803e96efb3f782f123b365930
SHA51205bbfd5fbe36ae6df8ec8b5c186dcc7d18c8bc07a00d278fb5d136d8a40590ec6e2f92b6fb44a9d59f17b69b9718aa7d4fcc5f582894176f49f70806469ba34d
-
Filesize
1KB
MD5fb7579d298774209d11c55742cd57356
SHA17e85ee2ab63702d8d5b626827f31a7e0e7a222f4
SHA2568dc22115dd89bbb4420b3758917073baa654eb5bfc9fe1c08d6884af9b5b0293
SHA512f11c5890283e584537bb206833cd2c367871b3081affdc57b4c1f51973ccb0921b7a10c5d042e3dd7421ab98614c9c11fb15362b6532046bb7ddacc46b75ba0e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD500ba924d652f203006fc7e84a1df3812
SHA1efb34d789eb93b7017adf9948841d0023b791aaa
SHA256011d9bb2241e324862970bd27f7c8ef163a294a10e13d5b7a91e82adb5b19f95
SHA51254fd4accc2ab97aae9d52060b14a54cf3020c43dd2d40dda42945c5fc44c35aa783136ec8cf2519916ac49a4d1f46473a3f8ed1765318ce4ed840119f47efbe3
-
Filesize
10KB
MD53417097cf54b48b4bc48d177df7b356d
SHA1308bc47b86eecc48cd0f6d8696662fc8913c45ca
SHA256d1b9dcb8060143a2a4d320902106382873889194a6f0394502ec32ad9dd0a870
SHA512f665869dd94e2f142555acb91f3cc881e8ce082b22524d4989555ecd34b3d3d7d167f4e48842c5afda2873acffac2e8d9c0c0c8eff10caa1b716863adc4110c1
-
Filesize
10KB
MD56265f7814cfd42a85f9d3dad785e9d7b
SHA1c3e0a841ab7b4702016bd33500c0daa1b5641e1a
SHA256200034eef80d766d10de8dacac7772a3b58101c426a300a3d25259c297060022
SHA5122655dbdba8cbf4b0835366e46e16f21d204b8cb8ded3356e75e2753054f3ad8272777d86fc0eedb9dc37f83e0a3e98878de03c2d5d5724cbf846c5637c6c9125
-
Filesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf