Overview

overview

7

Static

static

3

KaneMEMZ.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    67s
  • max time network
    67s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/04/2024, 16:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    KaneMEMZ.exe

  • Size

    1.1MB

  • MD5

    f7198a6161828d31781f77bbaa759bb7

  • SHA1

    e9d3132fff5df2163c48c617421d6bf5b6e90f18

  • SHA256

    d3ef86049ff983b3e0cb59b537aadf962de420570a23b5ee61d2fa3145fcf667

  • SHA512

    74ef6cf7e19135f4c0eb90e4f284a5eca65de4c2fc18510ad9c61f9463653e3c80b40c15031208cf44f6762757d9cd7be7cc62eb5c1effccfd655f497a36fbba

  • SSDEEP

    24576:YizhS0x6VkEx8ojX1NQX3eCH4xtp4jRtSCwZLn3VZzqnON20H:dJETQX1Yxti4T/

Score
7/10
bootkitpersistenceransomware

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KaneMEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\KaneMEMZ.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\AppData\Local\Temp\MBR.exe
      C:\Users\Admin\AppData\Local\Temp\\MBR.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:2976
    • C:\Windows\SysWOW64\notepad.exe
      notepad.exe C:\Users\Admin\AppData\Local\Temp\\note.txt
      2⤵
        PID:2100
      • C:\Users\Admin\AppData\Local\Temp\T.exe
        C:\Users\Admin\AppData\Local\Temp\\T.exe
        2⤵
        • Executes dropped EXE
        PID:4720
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004CC
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4744
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3a1a055 /state1:0x41c64e6d
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:756

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\MBR.exe
            Filesize

            11KB

            MD5

            62e84719950c1e880337a2227170777b

            SHA1

            fbe18bb919391e75453cedc34bfd13f35a7874c9

            SHA256

            5b6c61fb89e825dddcf86fbe9c0c507409c141a92d9725b3cd0258207436597e

            SHA512

            22d2996f8a02c18303e49b41a6f44e0ea861f70a1cb0afff13b44ebce7038f420693060a860e4e863cf025f789ca05f5eb20c1269e77f3ba9bd16597c125acb5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\T.exe
            Filesize

            83KB

            MD5

            a9ad6ca7d99a8ad21d7f197b5e82be06

            SHA1

            8ef7889957a8d086ad03994bda4a3cf04eb1afe5

            SHA256

            a1c3c84cc5943818fc3b321ba28bca076ee8aba91c33dac51695d9eb685e437c

            SHA512

            35e48422f9626006fcb9e6bf7ea44f3d9a615b4004ab407d46c02aae8475910722fadd9348a9b8f2181a2739c271a2b2f539d97fe799a4818b4fb81a1271d719

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\note.txt
            Filesize

            266B

            MD5

            a8bab44204bfb44e32bbd92c354fee4e

            SHA1

            3f82017f8e72d77061e5b265d44a510fa9113a5a

            SHA256

            909a4793c5681687646f04d024c4741605dc11ab2f54956457417031965b05a6

            SHA512

            7014bfc27d21fd8f87ae453a3c974503d390e317efa526c121124fb1da7601dff399459d5a9d37a471c52a9e978d5191a06ed5a28645674013b6d058baa56db1

            Download Submit

          • C:\Users\Admin\Desktop\MEMZ10612.jpg
            Filesize

            875B

            MD5

            b76b5675d91e9a9945e4b4b5bfb45942

            SHA1

            1e5cc4a895254de3b87dca4455a1ea5221bbfdcd

            SHA256

            43cbbfe3d93ad0aefd77ce3bd68fcde826f1dcf8eea5b551b24aefaf937bd43c

            SHA512

            cfacc0a8c8e791309ccaf1fd98fa84ab9dd084025d3c6140fa0402e28fea8eb221eff717218e268d4e549aed8e3e8dce545cf5b4ca1d19fdf1723ca11820b4de

            Download Submit

          • memory/2976-7-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download