Overview
overview
10Static
static
3000.exe
windows10-1703-x64
000.exe
windows10-2004-x64
Ana.exe
windows10-1703-x64
7Ana.exe
windows10-2004-x64
Bad Rabit.exe
windows10-1703-x64
10Bad Rabit.exe
windows10-2004-x64
10D34TH 2.0 .bat
windows10-1703-x64
8D34TH 2.0 .bat
windows10-2004-x64
8DDOS.bat
windows10-1703-x64
3DDOS.bat
windows10-2004-x64
7Desktop Puzzle.exe
windows10-1703-x64
1Desktop Puzzle.exe
windows10-2004-x64
1Memz.exe
windows10-1703-x64
7Memz.exe
windows10-2004-x64
7NoEscape.exe
windows10-1703-x64
NoEscape.exe
windows10-2004-x64
Phantom Crypter.bat
windows10-1703-x64
8Phantom Crypter.bat
windows10-2004-x64
8WannaCrypt0r.exe
windows10-1703-x64
10WannaCrypt0r.exe
windows10-2004-x64
10infinite locker.bat
windows10-1703-x64
7infinite locker.bat
windows10-2004-x64
7Analysis
-
max time kernel
76s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
000.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
000.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Ana.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Ana.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
Bad Rabit.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
Bad Rabit.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
D34TH 2.0 .bat
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
D34TH 2.0 .bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
DDOS.bat
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
DDOS.bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
Desktop Puzzle.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Desktop Puzzle.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
Memz.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Memz.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
NoEscape.exe
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
NoEscape.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
Phantom Crypter.bat
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
Phantom Crypter.bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
WannaCrypt0r.exe
Resource
win10-20240404-en
Behavioral task
behavioral20
Sample
WannaCrypt0r.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
infinite locker.bat
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
infinite locker.bat
Resource
win10v2004-20240412-en
General
-
Target
Memz.exe
-
Size
14KB
-
MD5
19dbec50735b5f2a72d4199c4e184960
-
SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822
-
SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
-
SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
SSDEEP
192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Memz.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Memz.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Memz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 548 Memz.exe 1060 Memz.exe 548 Memz.exe 1060 Memz.exe 2364 Memz.exe 2364 Memz.exe 3280 Memz.exe 3280 Memz.exe 1116 Memz.exe 1116 Memz.exe 1060 Memz.exe 548 Memz.exe 1060 Memz.exe 548 Memz.exe 3280 Memz.exe 2364 Memz.exe 3280 Memz.exe 2364 Memz.exe 548 Memz.exe 1060 Memz.exe -
Suspicious use of SetWindowsHookEx 52 IoCs
pid Process 1720 Memz.exe 548 Memz.exe 3280 Memz.exe 2364 Memz.exe 1116 Memz.exe 1060 Memz.exe 3280 Memz.exe 1116 Memz.exe 1116 Memz.exe 1116 Memz.exe 548 Memz.exe 1060 Memz.exe 1060 Memz.exe 548 Memz.exe 1060 Memz.exe 548 Memz.exe 548 Memz.exe 1060 Memz.exe 1060 Memz.exe 2364 Memz.exe 2364 Memz.exe 2364 Memz.exe 2364 Memz.exe 2364 Memz.exe 548 Memz.exe 3280 Memz.exe 3280 Memz.exe 548 Memz.exe 1116 Memz.exe 3280 Memz.exe 1116 Memz.exe 3280 Memz.exe 3280 Memz.exe 2364 Memz.exe 1060 Memz.exe 1116 Memz.exe 548 Memz.exe 3280 Memz.exe 2364 Memz.exe 1060 Memz.exe 1116 Memz.exe 548 Memz.exe 3280 Memz.exe 2364 Memz.exe 1116 Memz.exe 1060 Memz.exe 548 Memz.exe 3280 Memz.exe 2364 Memz.exe 1060 Memz.exe 1116 Memz.exe 3280 Memz.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 784 wrote to memory of 548 784 Memz.exe 93 PID 784 wrote to memory of 548 784 Memz.exe 93 PID 784 wrote to memory of 548 784 Memz.exe 93 PID 784 wrote to memory of 2364 784 Memz.exe 94 PID 784 wrote to memory of 2364 784 Memz.exe 94 PID 784 wrote to memory of 2364 784 Memz.exe 94 PID 784 wrote to memory of 3280 784 Memz.exe 95 PID 784 wrote to memory of 3280 784 Memz.exe 95 PID 784 wrote to memory of 3280 784 Memz.exe 95 PID 784 wrote to memory of 1116 784 Memz.exe 96 PID 784 wrote to memory of 1116 784 Memz.exe 96 PID 784 wrote to memory of 1116 784 Memz.exe 96 PID 784 wrote to memory of 1060 784 Memz.exe 97 PID 784 wrote to memory of 1060 784 Memz.exe 97 PID 784 wrote to memory of 1060 784 Memz.exe 97 PID 784 wrote to memory of 1720 784 Memz.exe 98 PID 784 wrote to memory of 1720 784 Memz.exe 98 PID 784 wrote to memory of 1720 784 Memz.exe 98 PID 1720 wrote to memory of 4184 1720 Memz.exe 101 PID 1720 wrote to memory of 4184 1720 Memz.exe 101 PID 1720 wrote to memory of 4184 1720 Memz.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵PID:4184
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1256 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:844