2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
61s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Memz.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Memz.exeMemz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	Memz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	Memz.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Memz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Memz.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Memz.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Memz.exeMemz.exeMemz.exeMemz.exeMemz.exe

pid	process
2172	Memz.exe
2172	Memz.exe
3528	Memz.exe
3528	Memz.exe
3624	Memz.exe
3624	Memz.exe
2172	Memz.exe
2172	Memz.exe
4476	Memz.exe
4476	Memz.exe
2172	Memz.exe
2172	Memz.exe
3624	Memz.exe
3624	Memz.exe
3528	Memz.exe
3528	Memz.exe
3640	Memz.exe
3640	Memz.exe
3640	Memz.exe
3528	Memz.exe
3640	Memz.exe
3528	Memz.exe
3624	Memz.exe
3624	Memz.exe
2172	Memz.exe
2172	Memz.exe
4476	Memz.exe
4476	Memz.exe
4476	Memz.exe
2172	Memz.exe
4476	Memz.exe
2172	Memz.exe
3624	Memz.exe
3528	Memz.exe
3624	Memz.exe
3528	Memz.exe
3640	Memz.exe
3640	Memz.exe
3528	Memz.exe
3640	Memz.exe
3640	Memz.exe
3528	Memz.exe
3624	Memz.exe
3624	Memz.exe
2172	Memz.exe
2172	Memz.exe
4476	Memz.exe
4476	Memz.exe
2172	Memz.exe
4476	Memz.exe
2172	Memz.exe
4476	Memz.exe
3624	Memz.exe
3624	Memz.exe
3528	Memz.exe
3528	Memz.exe
3640	Memz.exe
3640	Memz.exe
3640	Memz.exe
3528	Memz.exe
3640	Memz.exe
3528	Memz.exe
3624	Memz.exe
3624	Memz.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Memz.exemspaint.exe

pid process

1116 Memz.exe
1824 mspaint.exe
1824 mspaint.exe
1824 mspaint.exe
1824 mspaint.exe

pid	process
1116	Memz.exe
1824	mspaint.exe
1824	mspaint.exe
1824	mspaint.exe
1824	mspaint.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Memz.exeMemz.exe

description	pid	process	target process
PID 1572 wrote to memory of 2172	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 2172	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 2172	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 4476	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 4476	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 4476	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3624	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3624	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3624	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3528	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3528	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3528	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3640	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3640	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 3640	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 1116	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 1116	1572	Memz.exe	Memz.exe
PID 1572 wrote to memory of 1116	1572	Memz.exe	Memz.exe
PID 1116 wrote to memory of 4696	1116	Memz.exe	notepad.exe
PID 1116 wrote to memory of 4696	1116	Memz.exe	notepad.exe
PID 1116 wrote to memory of 4696	1116	Memz.exe	notepad.exe
PID 1116 wrote to memory of 1824	1116	Memz.exe	mspaint.exe
PID 1116 wrote to memory of 1824	1116	Memz.exe	mspaint.exe
PID 1116 wrote to memory of 1824	1116	Memz.exe	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\Memz.exe
"C:\Users\Admin\AppData\Local\Temp\Memz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3624
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit