Malware Analysis Report

2024-07-28 16:26

Sample ID 240621-vqpecsscqk
Target VineMEMZ-Original.exe
SHA256 5f6a8f0e85704eb30340a872eec136623e57ab014b4dd165c68dd8cd76143923
Tags
bootkit persistence ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5f6a8f0e85704eb30340a872eec136623e57ab014b4dd165c68dd8cd76143923

Threat Level: Likely malicious

The file VineMEMZ-Original.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence ransomware

Event Triggered Execution: Image File Execution Options Injection

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Image File Execution Options Injection
T1546.012
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Image File Execution Options Injection
T1546.012
Defense Evasion
TA0005
Pre-OS Boot
T1542
Bootkit
T1542.003
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-21 17:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 17:11

Reported

2024-06-21 17:12

Platform

win11-20240611-en

Max time kernel

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe"

Signatures

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rekt.exe" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rekt.exe" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "rekt.exe" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "rekt.exe" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rekt.exe" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "rekt.exe" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rekt.exe" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Data\\Pussy.png" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 5072 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 5072 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 580 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 580 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 580 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2316 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 2424 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 2424 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Windows\SysWOW64\notepad.exe
PID 2424 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Windows\SysWOW64\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe

"C:\Users\Admin\AppData\Local\Temp\VineMEMZ-Original.exe"

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe"

C:\Users\Admin\AppData\Roaming\MEMZ.exe

/watchdog

C:\Users\Admin\AppData\Roaming\MEMZ.exe

/watchdog

C:\Users\Admin\AppData\Roaming\MEMZ.exe

/watchdog

C:\Users\Admin\AppData\Roaming\MEMZ.exe

/main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\MEMZ.exe

MD5 5761ae6b5665092c45fc8e9292627f88
SHA1 a7f18d7cf5438ee7dcb4e644163f495d3fa9c0ef
SHA256 7acabca3631db2a73a5e20abd050097e44390ead1d74717aed936601904b73c2
SHA512 1d743b407663e00a296c2ae45cb5a05a0866657afafbc9e8220e4c1839cbab2c09bf2a3510ec8016f902ccb7254edddf2a3412e7f5a4cafcabbeb5724a67b46e

C:\note.txt

MD5 910efec550edf98bf4f4e7ab50ca8f98
SHA1 4571d44dc60e892fb22ccd0bc2c79c3553560742
SHA256 7349f657a8d247fc778b7dd68e88bc8aba73bf2c399dc17deb2c9114c038430b
SHA512 320de5e34c129dd4a742ff352cfe0be2fac5874b593631529e53d5fe513709ac01f5d1d3dfae659f36a2a33aae51534ec838f5d3748cd6d1230a0f3d29341442

C:\Users\Admin\AppData\Roaming\Data\2.bin

MD5 8766dce04feb646bf62206d64d6eb0ba
SHA1 91c5d588028c6c949e9cbcec950bcfaa35a791e4
SHA256 f87e1ab69bef059744ee9244f37b0f21ef7d7b06fc5245094cfa22637ef6ae9d
SHA512 0bc8fc880bb94ad55a732f2be207d88a6bb0ae8d97f91819e889d04420a71ae5d91af21861bad351c5fd7f4e944c1899b17df326bf19d310cc31a95fd38ee6a3

C:\Users\Admin\AppData\Roaming\Data\8.bin

MD5 5ada580c290b53327fc8db29d5cd66c5
SHA1 a504aff6a9fa93bf4ccb69df17b5238804c659f9
SHA256 5dcf1f4b285a6dd70ec7acd77eeb5752a3d381a8a697eafd394fcde615f3ba63
SHA512 36da1958e7b4fad5367b257d9343c4eab59d50b01c610514d48eae2d0eeabf7efd06dd8fc63551a0a7e11df91aa3ceb063003cdd9c30c6755431ba218524fd49