092129f26834f0f3453c3c0cf6fc450c8d9c00e8521a464affb3b5696ae7263c

Resubmissions

17/04/2024, 16:38

240417-t5dqqsha6t 8

17/04/2024, 16:29

17/04/2024, 16:16

17/04/2024, 16:13

17/04/2024, 16:11

17/04/2024, 16:01

17/04/2024, 15:53

Analysis

max time kernel
44s
max time network
50s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2024, 16:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

settings.json
Size

717B
MD5

9524b55958a0e976a0b97cda97c12516
SHA1

c27592c0c683be473ccc0f1299a1a464f9f4792b
SHA256

092129f26834f0f3453c3c0cf6fc450c8d9c00e8521a464affb3b5696ae7263c
SHA512

cf122e2a291baa58a753bccc0f7cc0d93ab35f62bd39ffce5cba29e9455f904727d7496f70154254c154481adcd25f59137d993b81c0f8d7c2642a6624ec5407

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2992	MEMZ.exe
816	MEMZ.exe
4056	MEMZ.exe
4496	MEMZ.exe
4024	MEMZ.exe
1648	MEMZ.exe
3680	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
42	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578442315893084"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000_Classes\Local Settings	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe
816	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5012	OpenWith.exe
4496	MEMZ.exe
816	MEMZ.exe
4024	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2364	2888	chrome.exe	86
PID 2888 wrote to memory of 2364	2888	chrome.exe	86
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 2240	2888	chrome.exe	87
PID 2888 wrote to memory of 4616	2888	chrome.exe	88
PID 2888 wrote to memory of 4616	2888	chrome.exe	88
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89
PID 2888 wrote to memory of 4336	2888	chrome.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\settings.json
1⤵
- Modifies registry class
PID:2156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcf5bfab58,0x7ffcf5bfab68,0x7ffcf5bfab78
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:2
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4200 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4224 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4016 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3364 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4196 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3828 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4248 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4328 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5064 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5144 --field-trial-handle=1824,i,15600567196154923876,8786236022124588094,131072 /prefetch:8
  2⤵
  PID:1348
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  PID:2992
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:816
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:4056
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4496
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4024
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1648
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3680
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0a76b0de1a7bccc940cb74d648555fb4

SHA1
3a6dda6ba5e740201678f82d5c946ffa32586ee0

SHA256
0be24caf91f9976546a1b85ac63e32615bad120e5d733585743949bffbb635bc

SHA512
4427fb9b4721a797a0fbef770b48a8a221d7437c93b8d8c3c1a994220cdcceb3477f34ac1ddb87b89732de61134fa29b8a7bd1aa4ead642fa1691c47473337a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0a73992fe007cc56b9a2eed5749a8ade

SHA1
afe396d01c8408911ee63c1315d220c48723bd86

SHA256
4a53145e11d1e2b92949fc6892cbc0aabce4a660336f50b46322c482aacd379a

SHA512
0a16eb86377ba34da4be2f522e55e09dca091104af29eb9b3ba6c52fbe690da9f5882ea5278cd5f25366bb4e11903faf82986aad19fd6f0dfbefeb1d512332bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0e78bd1d64a580e3cef34b1393d16db7

SHA1
266e942f58c28eecfae4235bf5dd577fabf3defa

SHA256
5c56d8d403ded96b6ad4cec761230c13798bbf1aaf6ebd0760eea715c3b5dd91

SHA512
777992fdc0217f7f2dfd9b548305b7a828fa7ed741c8dbee3515dcc78c4a48d3e7010de5b7984313442fa652cac1cdc5d1cffa25fe5e237b426a475a02330f0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ff24692746a7ed5a255f18a67b45018a

SHA1
9ba46526fd1d10a658ba450e79693d603ae72e85

SHA256
557f91dd59b626c6eb40834ac214baba8061d2093f0857563685728bde4ddc9f

SHA512
1e811266715aedc7ed57a371447a25108bcb6c3b99761dc26e1b17fa6652e9ba3ceb0fe7ca84ea650025d503a7fbbd96c3527b56b76fdb9d9b4880064bc11254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
876d5754a913550a34a765e9a9c260dd

SHA1
2e12cb1910e9129823bc565b7b4c46b6b7d0158d

SHA256
0572ea05004522a976af6e49af40c6d70d1f61216759025307a73ba03c8d8b8b

SHA512
7b854480fb235775beef1f884a6e7b52dd7268b97d60a1bb70d4b30d7d0f746833224de4faeb98b8943efcd6db841bd73c18cbdf529ea61c20da4c0fe036e959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1c27cdce60ebe7a2e1c65e60ed6fd7b6

SHA1
6443316eef386b9ba7b9ec093a80bb17d0d064d1

SHA256
7b13152509e5fc9b3bcd5f691e0314972bc16a6e0cda60a1710ec757c3849611

SHA512
b7a693f5980ab7da596055ba62a690fa35e6c55f94d1ae71c4fa012dca8266b085ad413e7eaa8fa9ef9ed47929bfb39c44291607b770fb7003078ac0ee11a4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3637bc52a10f4a8ca97a867ea30ccdfe

SHA1
489eabf4b87c664653b863dcb110bad10edd7927

SHA256
2e200056b2fa6fa2b444a4dbec8472d3168a6b7fba3ec98bcba1f0d3f6fe964e

SHA512
d792043edf07dc9841152db2e4fa527801a9bce94b9be9b18565cc2c2b9a490802ddc261ad6f2448c69eb949f28bd3ddfe9e984eccaa2c60a8db58ef37a93400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f5785913e545e38d74c1c607845e11bd

SHA1
65d362dbc08612b5b6f4ab3b8edd4d2c8e4228cf

SHA256
54fdcb11cf2a24a0b30005ec9eecc457fd15ab4a584e1f420c03a86f67b29a6f

SHA512
07fea1b118fba297bb671bb429d4591acfa7a66a052cbfc1ca850540a924766dbe30aae1a37521f9377663f5c99ee743ed8d2cc45bb080d37ac6dd3ee12226e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
0873f7f38a3fac84afb2d5160647e298

SHA1
42d8c8d02b471b0a0f749303887bd3e3eb736783

SHA256
d946abdc4af9f2fffd66d56552e929a9d9620b38c2b05614478c1228c733d598

SHA512
333ccf805eb7b7ede2ddc734228a066e44cb32c45d6ae7a7938b1a9b5a0f26792a32deedca17fa8d19c6332f6297621c8b206de0111525596de98eb94a272b9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
22510f2742335353875cea802a8a11b8

SHA1
e787ebdb4fb93c709523c18e630f006b0c328f97

SHA256
bea37622785bc9f45e6c71180304f9d91b22dacb40ee13cbc9c0d91953a41aa9

SHA512
c5b701089302c1e0f9e42c4eca404c1a9a28d13ae40698cad6ddf1f20843cd71c8d57eadfaa76056188dae932f9d9a6bdf57baa1a532e14713f4c2752b620e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
fe797b788b55d9b55bd7d516a8b683da

SHA1
8e6a8f1ef6fa60f6ddb99221d5d34c6a260d21c9

SHA256
7375cc72428289103a7741b583493c05fddc2f7258bef8eb409fbe378e39291e

SHA512
cc15de57129b56561f67f2ef9b42e45924de6893f843330b7a15dfea83318f7b7a0d74da0c5ffcb9e8547b73edaf91b7e98f0205aada8fdfec31b33928d5b9b3

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier

Filesize
170B

MD5
42ba018776c229ec8042d86ed887eb02

SHA1
f659b4b6d07346fa251e3ecd12b487a8855ade69

SHA256
e10ac4ed219df684b0d33d8e5a69e1d6d94dd7e98431b7af73d678effd1f628e

SHA512
021be5429ee8526ffba42f298912446bc621b9a9449e712818b766dd2cff73e91c4496a6cc4f7f2065c063838a67f9e84ef82c81a1586e302bcff2044f8d5123

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads