Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

VineMEMZ-Original.exe

windows11-21h2-x64

8

Resubmissions

28/06/2024, 02:19

240628-cr3n9swcqg 8

21/06/2024, 17:11

240621-vqpecsscqk 8

20/06/2024, 14:32

240620-rwkftasdmc 8

13/06/2024, 21:29

240613-1cbh8svbkm 8

13/06/2024, 21:24

240613-z9bptszhke 8

13/06/2024, 21:01

240613-ztvsrszdre 8

Analysis

  • max time kernel
    30s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/06/2024, 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VineMEMZ-Original.exe

  • Size

    39.6MB

  • MD5

    b949ba30eb82cc79eeb7c2d64f483bcb

  • SHA1

    8361089264726bb6cff752b3c137fde6d01f4d80

  • SHA256

    5f6a8f0e85704eb30340a872eec136623e57ab014b4dd165c68dd8cd76143923

  • SHA512

    e2acd4fe7627e55be3e019540269033f65d4954831a732d7a4bd50607260cd2a238832f604fa344f04be9f70e8757a9f2d797de37b440159a16bf3a6359a759b

  • SSDEEP

    786432:1fhwEXgLYTou24XbHzjkgV5bQAH/AbkP1hn0qPQPrhBPC7wYqljbdPIa:dqgb84DPn5vhbIPdZaWljbdPIa

Score
8/10
bootkitpersistenceransomware

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 14 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe
    "C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3408
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4104
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:580
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        /main
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Sets desktop wallpaper using registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\SysWOW64\notepad.exe
          "C:\Windows\System32\notepad.exe" \note.txt
          4⤵
            PID:2360
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3120

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Data\2.bin
      Filesize

      353KB

      MD5

      8766dce04feb646bf62206d64d6eb0ba

      SHA1

      91c5d588028c6c949e9cbcec950bcfaa35a791e4

      SHA256

      f87e1ab69bef059744ee9244f37b0f21ef7d7b06fc5245094cfa22637ef6ae9d

      SHA512

      0bc8fc880bb94ad55a732f2be207d88a6bb0ae8d97f91819e889d04420a71ae5d91af21861bad351c5fd7f4e944c1899b17df326bf19d310cc31a95fd38ee6a3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Data\8.bin
      Filesize

      408KB

      MD5

      5ada580c290b53327fc8db29d5cd66c5

      SHA1

      a504aff6a9fa93bf4ccb69df17b5238804c659f9

      SHA256

      5dcf1f4b285a6dd70ec7acd77eeb5752a3d381a8a697eafd394fcde615f3ba63

      SHA512

      36da1958e7b4fad5367b257d9343c4eab59d50b01c610514d48eae2d0eeabf7efd06dd8fc63551a0a7e11df91aa3ceb063003cdd9c30c6755431ba218524fd49

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MEMZ.exe
      Filesize

      21KB

      MD5

      5761ae6b5665092c45fc8e9292627f88

      SHA1

      a7f18d7cf5438ee7dcb4e644163f495d3fa9c0ef

      SHA256

      7acabca3631db2a73a5e20abd050097e44390ead1d74717aed936601904b73c2

      SHA512

      1d743b407663e00a296c2ae45cb5a05a0866657afafbc9e8220e4c1839cbab2c09bf2a3510ec8016f902ccb7254edddf2a3412e7f5a4cafcabbeb5724a67b46e

      Download Submit

    • C:\note.txt
      Filesize

      133B

      MD5

      910efec550edf98bf4f4e7ab50ca8f98

      SHA1

      4571d44dc60e892fb22ccd0bc2c79c3553560742

      SHA256

      7349f657a8d247fc778b7dd68e88bc8aba73bf2c399dc17deb2c9114c038430b

      SHA512

      320de5e34c129dd4a742ff352cfe0be2fac5874b593631529e53d5fe513709ac01f5d1d3dfae659f36a2a33aae51534ec838f5d3748cd6d1230a0f3d29341442

      Download Submit