hxxps://github[.]com/Dfmaaa/MEMZ-virus

Analysis

max time kernel
1800s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610477681583262"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
632	chrome.exe
632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe
Token: SeShutdownPrivilege	632	chrome.exe
Token: SeCreatePagefilePrivilege	632	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 4988	632	chrome.exe	82
PID 632 wrote to memory of 4988	632	chrome.exe	82
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 2192	632	chrome.exe	83
PID 632 wrote to memory of 116	632	chrome.exe	84
PID 632 wrote to memory of 116	632	chrome.exe	84
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85
PID 632 wrote to memory of 2484	632	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Dfmaaa/MEMZ-virus
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb263eab58,0x7ffb263eab68,0x7ffb263eab78
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1568,i,10729036843609404834,9068100638507043851,131072 /prefetch:2
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1568,i,10729036843609404834,9068100638507043851,131072 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1568,i,10729036843609404834,9068100638507043851,131072 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1568,i,10729036843609404834,9068100638507043851,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1568,i,10729036843609404834,9068100638507043851,131072 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1568,i,10729036843609404834,9068100638507043851,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1568,i,10729036843609404834,9068100638507043851,131072 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2396 --field-trial-handle=1568,i,10729036843609404834,9068100638507043851,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9f5fd307a166886801b92313da19067d

SHA1
229d1b26ff5681b515441ad5a6bb58f54a7a5872

SHA256
60a206ff7eeea87824b489ce17b575bd353cb9a02641aaa55a2aed73d7c82978

SHA512
b0f292d2a043b7c2bec5a6046f7285e0da4f593975c12b90f3402f043d0adf51691064920818ae17fcbb64c26b5794817f37c2e8546e7b58a07b7be6687f7891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
abf30ed7bee4493d59968299148e1980

SHA1
f7be6bee8742e8de74aefd83655082aa46629ec5

SHA256
fb4b916bfaf56032d5661c579ed7b2cfaf3597db2d9dacef8550a31d36a1bb44

SHA512
0afa48ae53e67a1cbef3df22362a2ee402cea2ae5395ef8af9d9abc0db4e7dd6183465e02f45f6e1f24d501aafb31e3ffc01396367e886150ab25dc4539265d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f18f256070d6923c49fe444649328a43

SHA1
a06fb52bd4a8425e20ec85f6d3a9d547b15fcd21

SHA256
49e8a0e2f03f026aa596d070fbc6c6bd2be109bc656af98adb2393532bfa50c5

SHA512
3e2ed97a79d32e9d52bf7b6c1c29a4729fd7fd23dd0605bb820f84ed6f0aae263a70f6f6e1b46f32db6daf3a22b53133d054493b3c1cdbe3cab0031de2d46321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7af60eeefb03013729536177d1b64030

SHA1
0393a0b800892147257ad184d2114a9457853796

SHA256
71652a05cf193a866ed059f6857ec68234750c4442bd2ff8d7a488d2eda9418e

SHA512
cc0f6ef9189df5a21dc59d3a4b655ca6d4be157bdebef2bc0a3ca5dd9ea313f624e9ff5ae08ad4a2d001c9cbbc96666a40574ff42d6edb8b54787b3839c62c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
44b528b6006c761f4f635469eb15fa5d

SHA1
716825471e875e0c879125a771dfea284344566c

SHA256
7c1f0f5ced29cd475adc26cb8bfefd8120f0a09f9a873503b485f5ef54febbf4

SHA512
1dae8deed6f49f281436a4bd47f98b3d7c06fd6fb5b2abbc395d84cab8ab497699d364d38f90f0dd79aa38e34ed26131cd51e6bbc9db45e13f1c31d9dcb85073

Download Submit