Overview

overview

6

Static

static

3

Memz.exe

windows7-x64

6

Resubmissions

08-06-2024 08:50

240608-krvyesae91 10

08-05-2024 16:15

240508-tqnx6ach3w 10

08-05-2024 16:07

240508-tkr3mafa54 10

01-05-2024 18:02

240501-wmf49acg3s 6

27-04-2024 08:46

240427-kpfeysff8s 10

25-04-2024 21:25

240425-z9y55afb7v 10

25-04-2024 21:16

240425-z4pphafa97 10

25-04-2024 18:27

240425-w3929sde33 10

25-04-2024 18:17

240425-ww4a5sdc8x 10

Analysis

  • max time kernel
    50s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Memz.exe

  • Size

    14KB

  • MD5

    19dbec50735b5f2a72d4199c4e184960

  • SHA1

    6fed7732f7cb6f59743795b2ab154a3676f4c822

  • SHA256

    a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

  • SHA512

    aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

  • SSDEEP

    192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Memz.exe
    "C:\Users\Admin\AppData\Local\Temp\Memz.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1964
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1840
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1960
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3040
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2052
    • C:\Users\Admin\AppData\Local\Temp\Memz.exe
      "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:2672
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2488
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2404
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2744

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Privilege Escalation

    Defense Evasion

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7dc4f868bd2186b6a56189257e6be613

      SHA1

      0f922d3a8de9e0ff4777ed8f29cbfbf3b1bf83dc

      SHA256

      00530bdcdcd64f582959744174f6d8f6f724b0299bedd066a52455313cd2f6a8

      SHA512

      c45b22b77dc30134d249b7c158ea220dc195b6cb9bfa033f21462cafbef356875a34114cc20231989bfb100bccd7658cc25d4992420cafaf49fa5b2e67f9a8c1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2b18db1ec78a175d94b9eecb3a2a9eee

      SHA1

      d152f3f673a9b91af2e810d32478a57e1a097890

      SHA256

      a4087417961b92025c700108b690266e8cfb89e9040f97f74b8c6064d8495c86

      SHA512

      fc25e3848cf8370db5266d1221cee7c04169f553860359fdc76d997bbe45464bfa1ca8a6364b97fca6b280537a977df062d3e65a0c337eb69942cd68b9491623

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      c20b674c98856b8c73ad703df8d9a7b6

      SHA1

      ac813785b72ba634bdbf5a8813978ce8470d3271

      SHA256

      1ff171c7fe1252635ee5ac6337f78b432f8938ff2b94471be292cbb11336495b

      SHA512

      1664f3db59120e68aead0caa4f63ee95603b71ce3a4512c939a5a25b295ff68bc307020d938fdb5d09fcd313affdd63c3eb7efb90d3b7174d636f4671d9c2be9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      08b7d5aaa9c75d24eadfc74fe885dbc1

      SHA1

      e04b5fc79f70f904ff73656918ef010e0889a08d

      SHA256

      65a1a35612fa8dfb108985bef4e147a01f8080b03f1c3b3bf8f23706ae27615e

      SHA512

      ff1a52eb4bc22b6d9fc664accaeb8fe2175c941245d49ac817e09cb8f52d26ae1a5758d17aa7d9dce441cafc2a00df06cb56a5c984853079d65dd0cf52807b7f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      04d1e3907846fb340e0bf72fd7bdbe82

      SHA1

      74217a6e1f874c17871794382abf32f12a71e094

      SHA256

      d7d7881cafebaf4b80e65c9091a4a1fb81bdfbec6202fa0400e3a7b16b8b239e

      SHA512

      55ce716b7f85db8291baf4cce473a6f0bff79e4c87097e9d377fb6a3a8d4ad615cd5572ab7e8baae9d48d15b43e14c279d9730601653e49c036b9f2481ffd3c1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b77449cc51653ac436df92aa2af31d9a

      SHA1

      cc906037632929497b1c1b96391850e8d329dd51

      SHA256

      b3cb902e31711ac58cf5327011becb0a0201422c90029d24584d33afaf673390

      SHA512

      c3582e6ecf1b80cad5ef2be2f0e2bc4c0d11e93f2f913afa198d659bd0f5025b829cb83a65d9e0f58700315e10f735e815a7573e3264d358966c3c4edad771b9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      cfe2a9466ce342d037141cd74e72f550

      SHA1

      c85b8f2a7b0fa4796222444efd468e9a44bea8e0

      SHA256

      f092c436e057a18022cebfd88e1a2d61b6fec8e5eb4cdb4dd440e65a768cdcf7

      SHA512

      6b7e5950d495abf5c996a2aaac52bb687362c27bc14420557fd3892e6b7f18644b553d77861fb10ef15a9bb7ddad0ccc03deddc7e655f5b665246e5938567de9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2baece6b055b3a978b6c21e39ce4d1fe

      SHA1

      257209a91edde9285697711a935da99250578f7a

      SHA256

      9a635543449ca565ee56d6bbc1aac458ba6f0b7402df20f9a837579f85f67756

      SHA512

      8130ccea70b7d63fc0c487b2853287942b92055e3591b46866be871f4b83d5aa9777c3c27d1a3353d56cddfe8ed36ab2ec824739c147d32cb5394f74e3985946

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      d2aa1b7d8d6aefc6dcc9ae6bea3ba5c8

      SHA1

      eac073a90a64db306f642f5690ad345287fe61f0

      SHA256

      16064523ec46e52ae3fe733bf409057e711916b374771adaeb70f634c57ef153

      SHA512

      0fce5ce6de6990d8802d7ddded2c9397d5f2e238251c4ebe9b5f8aee3e60ba05e3f4f6f3c789c2984ab5e9739860588cf4b17d2858d8f0d07c558397fc877aa5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabCD41.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarCE22.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit
    • memory/2744-3-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/2744-2-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download