hxxp://tetr[.]io

Resubmissions

17/05/2024, 09:58

240517-lzgw7scf7y 6

17/05/2024, 09:55

240517-lx32nacf2w 1

Analysis

max time kernel
45s
max time network
60s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17/05/2024, 09:58

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://tetr.io

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3938118698-2964058152-2337880935-1000\{8A9B7317-835F-48E3-9F32-C0A9331C3F5B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
3492	msedge.exe
3492	msedge.exe
3580	identity_helper.exe
3580	identity_helper.exe
1248	msedge.exe
1248	msedge.exe
2512	msedge.exe
2512	msedge.exe
2792	msedge.exe
2792	msedge.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2564	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3836	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe
1248	MEMZ-Destructive.exe
2448	MEMZ-Destructive.exe
2024	MEMZ-Destructive.exe
4728	MEMZ-Destructive.exe
3680	MEMZ-Destructive.exe
2024	MEMZ-Destructive.exe
2448	MEMZ-Destructive.exe
1248	MEMZ-Destructive.exe
4668	MEMZ-Destructive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3744	3492	msedge.exe	80
PID 3492 wrote to memory of 3744	3492	msedge.exe	80
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2504	3492	msedge.exe	81
PID 3492 wrote to memory of 2516	3492	msedge.exe	82
PID 3492 wrote to memory of 2516	3492	msedge.exe	82
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83
PID 3492 wrote to memory of 1552	3492	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tetr.io
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe782b3cb8,0x7ffe782b3cc8,0x7ffe782b3cd8
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3904 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,11585783464574084204,2506225562773084733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3244

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3836
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4668
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1248
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_memz-master.zip\MEMZ-master\MEMZ-Destructive.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:3680
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
046d49efac191159051a8b2dea884f79

SHA1
d0cf8dc3bc6a23bf2395940cefcaad1565234a3a

SHA256
00dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7

SHA512
46961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d22039bc7833a3a27231b8eb834f70

SHA1
79c4290a2894b0e973d3c4b297fad74ef45607bb

SHA256
402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6

SHA512
c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5ab0d8d1-555a-4aa6-9ac2-e9248f679b09.tmp

Filesize
1KB

MD5
3de42da25c9b4d29c3f8969b7f17ad37

SHA1
b0a855340c6d20617a0fcbf5f8d9889777452368

SHA256
45ff94105452b141aa52835fada4c22556481bbe9931b70eda8980fb183ef604

SHA512
e3e82cec6a2b5003f971e55edede35222ffb7f328d79270693de78177daf3da9bf7679bb82a619d74788e9dc2710daa4e9a262c4c5721b28fa748fd80229d02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c380e11edd910c1a37d9bba74857e1bb

SHA1
188d7e811dcf406ffb50646c0d88b52262c29e30

SHA256
a462b7cdb155aa5ac6cab55c2759db3f4f6653a32bf1dfaf0bf4af56d2dec643

SHA512
41bffdaddffb3fdb5276ea975493795f3b6a17dff3961f04f892196ba7c91e99489cc0db7e73128532fc30eb23c5cffdbf9119d6d02e807bd15494f2daafb0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
78fe17b4830413d5c32b617a79db0617

SHA1
df63b73487ff9b299918f1cc3b054eebba5c2a9a

SHA256
b2d94e745b38b22061e3c84c45b7c965f91dd510a0ec86bfa0f7c55a61a86419

SHA512
6489f1edb407e3cd17736521b9672aae816907f98f4a4a5d65c997de0fb94f4cb1e37286f2ea79df5732f59b30f1b073965aa7ca17469fde112ff29de3b70692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e356ea1f141d0d77bb9263450c605551

SHA1
8a3093c357265511263a1da7c3f208255f7bb5a4

SHA256
599451a3424b389075eab3d2e764f850b3a50c635fd646f31efa518cbe8c52cc

SHA512
0ae8a92bdc8bea98240144e753e9929322de7ca0962d497b699b57f2ae5bb75ccea8b78905ecc414148934c89f96de45673a8d3c102e30b69c782b01a8d84ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
83712c9fbd89152cdaba7a24a1318423

SHA1
2af0e113b5ec45ea4b034103809ba5b8dd2658f2

SHA256
9e72c0a2688fd80a09f754aac9606fe0e348ee9ba4b80038c161cdbb271657d9

SHA512
dc8b9e70a781cd4a4b171caaccb9ed44ad88d6087df085537cf0198ac89ba0b0f246e12717b1324cdc0ea4350081ea08915a776d68b1c6d41865cfa8f349da50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ad09.TMP

Filesize
705B

MD5
715615b243db9c195e4b42754a3dc53b

SHA1
4ba326c7f31364c4cf20c9660a6597702469a3cc

SHA256
aa20ff084ada07ce6b080025bc4375533a16d903abdab37dc83e365f7ad192f2

SHA512
9209a0b320f85709f2eb8912698e51cb8a644976822ec8ada03f0c2d7b050af0094c9dfa6b821e12fa67b91c9cbd8f9982d3ea353444ef6136efb7070f92494b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
57aa509c26b0479b692d78b5139e9b7e

SHA1
8ae18527ad0b53f06af0331ad6b988910bac6e89

SHA256
ab04f29d632613e39e0c97a5fce179e9773dd721bdbf27683df42db27eace1eb

SHA512
ce3ff8c9b67f191cf36e26f2d7de5c063b1ccca20dff4ae3da121b6b883ca2d4eb2185dae3defa6906df73e78d96e9e441c6efe6855b18f07ec688243e8487cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
75846cad8dec186485c1f555ad20344e

SHA1
2969b83902cd4b688108478a22d1915e6213ddbd

SHA256
34e64d7e0d275e6d7213b81f5f61ab59ed15e8b938db7bc641c4f3cb2d013e79

SHA512
25f68a3da78e6b0ba70388fd21ad01d68f59846e6a1d01fa1ffb070e8a9bbcb9082b6c9d7e114b54944fb2f1081d806ab15dcfd42ca80ad580643e84729504e7

Download Submit
C:\Users\Admin\Downloads\memz-master.zip

Filesize
17KB

MD5
4790677e05d72ef7429dddf35562bf4a

SHA1
4243d6ea53db7e8cc0c355e70d6cffb54787b90b

SHA256
319bf6087040d17b87f46cd05f5ee064c291ba9ca46e1910f28d1f4c57cb3d96

SHA512
a93c5f691938bc1bdd9ef20b975f0b22cf494543e7df82ec31838bf811552ead5cd855959be4e47186ee7de944be005030f52f58b9dc85e7cde719cb97b794e3

Download Submit
C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier

Filesize
167B

MD5
48aa202d5600ab0160ddf7d753b4a177

SHA1
4d1e68a6908f66faaa15d253130aeff6fe323c3f

SHA256
832b62b5324e24a4e7f43cc66e1610f2e22871acd1a930b9991b4d79e5930154

SHA512
1a51b931c974ad6c54ce5167535f17df75c5fcf11b8314d3a55dbdda777d826f3d27032b51308725f6af925163dc0b22095ca62523375850cd63349fc7148c79

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads