Overview

overview

10

Static

static

3

BUG32.exe

windows7-x64

BUG32.exe

windows10-2004-x64

MEMZ 3.0/MEMZ.bat

windows7-x64

7

MEMZ 3.0/MEMZ.bat

windows10-2004-x64

7

MEMZ 3.0/MEMZ.exe

windows7-x64

6

MEMZ 3.0/MEMZ.exe

windows10-2004-x64

7

MEMZ-Destructive.exe

windows7-x64

6

MEMZ-Destructive.exe

windows10-2004-x64

7

Trojan.Win32.000.exe

windows7-x64

Trojan.Win32.000.exe

windows10-2004-x64

Trojan.Win...or.exe

windows7-x64

Trojan.Win...or.exe

windows10-2004-x64

Trojan.Win...sk.exe

windows7-x64

6

Trojan.Win...sk.exe

windows10-2004-x64

6

Resubmissions

03-03-2024 13:51

240303-q5vgpscb85 10

03-03-2024 13:45

240303-q2r76sbd9y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Trojan.zip

  • Size

    25.5MB

  • Sample

    240303-q5vgpscb85

  • MD5

    59a1b98dd557235b9a15eeeb7cc1c51e

  • SHA1

    0a731b1ce5f1214fb925ae5566ae65ad40e77b16

  • SHA256

    4b30f308a5f0cf34361f5a53f2d73c523188adbbd9ac264275946197a3a8aa28

  • SHA512

    294cdd747e744dcfa5ae8baf3f8102a4393faa0593fbae0d2a68082b954a079a15b4f7072dbb1667b4c766aad800ef73e5526df4eef9cf5b0bf617a530387d53

  • SSDEEP

    393216:V5EYRwa8J0+T3WCa+aKkXPSssursuNzI+nyDhSbfChI00y/DomC:XRU0i3ta5KkXq3uf+4bKhI0X0

Score
10/10
bootkitevasionpersistenceransomwarespywarestealertrojan

Malware Config

Targets

    • Target

      BUG32.exe

    • Size

      3.0MB

    • MD5

      149cc2ec1900cb778afb50d8026eadf5

    • SHA1

      a7bc1bbc7bdc970757ec369ef0b51dc53989f131

    • SHA256

      817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797

    • SHA512

      d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553

    • SSDEEP

      49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu

    Score
    10/10
    evasionpersistenceransomwarespywarestealertrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Renames multiple (155) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      MEMZ 3.0/MEMZ.bat

    • Size

      12KB

    • MD5

      13a43c26bb98449fd82d2a552877013a

    • SHA1

      71eb7dc393ac1f204488e11f5c1eef56f1e746af

    • SHA256

      5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513

    • SHA512

      602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a

    • SSDEEP

      384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

    Score
    7/10
    bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      MEMZ 3.0/MEMZ.exe

    • Size

      12KB

    • MD5

      a7bcf7ea8e9f3f36ebfb85b823e39d91

    • SHA1

      761168201520c199dba68add3a607922d8d4a86e

    • SHA256

      3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

    • SHA512

      89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

    • SSDEEP

      192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

    Score
    7/10
    bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral5behavioral6

    • Target

      MEMZ-Destructive.exe

    • Size

      14KB

    • MD5

      19dbec50735b5f2a72d4199c4e184960

    • SHA1

      6fed7732f7cb6f59743795b2ab154a3676f4c822

    • SHA256

      a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

    • SHA512

      aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

    • SSDEEP

      192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

    Score
    7/10
    bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral7behavioral8

    • Target

      Trojan.Win32.000.exe

    • Size

      6.7MB

    • MD5

      d5671758956b39e048680b6a8275e96a

    • SHA1

      33c341130bf9c93311001a6284692c86fec200ef

    • SHA256

      4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47

    • SHA512

      972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7

    • SSDEEP

      3072:V3LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzzo9Y:lLJlC6j0CX4XmvWHVcd62uo9

    Score
    8/10
    evasionpersistenceransomware

    • Disables Task Manager via registry modification

      evasion

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral10behavioral9

    • Target

      Trojan.Win32.BossDaMajor.exe

    • Size

      1.9MB

    • MD5

      38ff71c1dee2a9add67f1edb1a30ff8c

    • SHA1

      10f0defd98d4e5096fbeb321b28d6559e44d66db

    • SHA256

      730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a

    • SHA512

      8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9

    • SSDEEP

      49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU

    Score
    10/10
    evasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies system executable filetype association

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral11behavioral12

    • Target

      Trojan.Win32.KillDisk.exe

    • Size

      60KB

    • MD5

      571de903333a6951b8875a73f6cf99c5

    • SHA1

      5c2ef418a36799541cec673dd7d9f87371a9e3bd

    • SHA256

      8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5

    • SHA512

      dcfb8ae96ec975938592f22932a804b3105bc3293a22ed336bd9687045bc0e168e6aef9a1485f1a2d986e1d7e928221d7ee7b53f756958b700fc4dada503f309

    • SSDEEP

      1536:8f0XnibgFacx2jecu0FRf6Ut3JhH0Y4LZ2FkRg:fEecVNvhUYqS

    Score
    6/10
    bootkitpersistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

8
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks