hxxps://github[.]com/Dfmaaa/MEMZ-virus

Analysis

max time kernel
31s
max time network
42s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 20:14

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
8	MEMZ.exe
6132	MEMZ.exe
876	MEMZ.exe
6120	MEMZ.exe
4520	MEMZ.exe
2000	MEMZ.exe
3024	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
22	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5628	chrome.exe
5628	chrome.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe
6132	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5628	chrome.exe
5628	chrome.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	5628	chrome.exe
Token: SeCreatePagefilePrivilege	5628	chrome.exe
Token: SeShutdownPrivilege	6132	MEMZ.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe
5628	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4520	MEMZ.exe
6132	MEMZ.exe
6120	MEMZ.exe
876	MEMZ.exe
6120	MEMZ.exe
6132	MEMZ.exe
4520	MEMZ.exe
876	MEMZ.exe
876	MEMZ.exe
6132	MEMZ.exe
4520	MEMZ.exe
6120	MEMZ.exe
6120	MEMZ.exe
4520	MEMZ.exe
6132	MEMZ.exe
876	MEMZ.exe
6132	MEMZ.exe
876	MEMZ.exe
4520	MEMZ.exe
6120	MEMZ.exe
6132	MEMZ.exe
6120	MEMZ.exe
876	MEMZ.exe
4520	MEMZ.exe
6132	MEMZ.exe
6120	MEMZ.exe
876	MEMZ.exe
4520	MEMZ.exe
6132	MEMZ.exe
876	MEMZ.exe
4520	MEMZ.exe
6120	MEMZ.exe
6132	MEMZ.exe
4520	MEMZ.exe
876	MEMZ.exe
6120	MEMZ.exe
6132	MEMZ.exe
876	MEMZ.exe
6120	MEMZ.exe
4520	MEMZ.exe
6132	MEMZ.exe
4520	MEMZ.exe
6120	MEMZ.exe
876	MEMZ.exe
6132	MEMZ.exe
876	MEMZ.exe
4520	MEMZ.exe
6120	MEMZ.exe
6132	MEMZ.exe
4520	MEMZ.exe
6120	MEMZ.exe
876	MEMZ.exe
6132	MEMZ.exe
876	MEMZ.exe
6120	MEMZ.exe
4520	MEMZ.exe
6132	MEMZ.exe
4520	MEMZ.exe
6120	MEMZ.exe
876	MEMZ.exe
6132	MEMZ.exe
876	MEMZ.exe
6120	MEMZ.exe
4520	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5628 wrote to memory of 4460	5628	chrome.exe	80
PID 5628 wrote to memory of 4460	5628	chrome.exe	80
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 1424	5628	chrome.exe	81
PID 5628 wrote to memory of 3944	5628	chrome.exe	82
PID 5628 wrote to memory of 3944	5628	chrome.exe	82
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83
PID 5628 wrote to memory of 1176	5628	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Dfmaaa/MEMZ-virus
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa90ccc40,0x7ffaa90ccc4c,0x7ffaa90ccc58
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2020,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2968,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4520,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4932,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4944,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3080,i,429462571972732281,12770594526605203580,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5540
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6132
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:876
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6120
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4520
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2000
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:3024
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2932

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bcfbf0f5f9d369482c33c4125c470851

SHA1
8c53ed39f7e6242d063cd35ad4461cc55541820d

SHA256
0317864b09684aee2779e25e418fce10928c8985ac0a0c14013da36efd1d2e0c

SHA512
9160d452cbd8e93b9b1c745a86f9a5cb6bad6a69b89df81d501039ef0fd763fc70dce7e8446c190e544c55634cb007f0bb461bb53a3189421ea4576cd0dfe1c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3fb07dc5a79b9a76d4f47e60a5441ee4

SHA1
9fe2ab6abbee6e5d5cf2fdd419963edb50c7c1a7

SHA256
ab49656601ad251730d582368c417a7d32700cafa487a4b2f948f902f2062172

SHA512
0453b10ad7eced1e555b38d03baadb52f83ddacee239dab5667b373d98816b9f139b200a2b464d9077ef8e626af0b3f32b8e6ce69b3c9afd412fd019b9185f2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
88a4b835c1ed2d7a53db2ee7a148b885

SHA1
94f4c3666a5cf85206483e7735659cffefe5645b

SHA256
64b915993289de42d72c55e415fe714ebc3b5d958798ee38b1fb4770b03dd85d

SHA512
eb288568d75d8efa8fe883016c434f58a9cf1bb3f3f61a3be1d5f3c99e128f95b92b921c1d6b9b520c70705cd7786e047e4215a353af213f60e37e6fed6a3b55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e6aa5cf97c96ceaad009ca0ea31e84cb

SHA1
3a43dfcfc2a2ae6404df96ac1cf68e56cc12bdeb

SHA256
f33bef56f0a3503ba4c496bfcfab4046cceea4be33c874cd49263cbcf948a2d9

SHA512
3ae8d3e8c66ae033e4a002de87bd9baa783ad306902d47d551dae15536ff1d33acd4546028db291bde5bbf2d0b82ec9ca91233a03e23ed03532f2d2090c9c1fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7d7e47c4d64f8127031b124056ec36c6

SHA1
cedf02889eb9e74ecf8436e3faf5acd854b683eb

SHA256
8ee006cdb9fe9474c5c1cc302d05145754467dcc3afaec137516ac5316f5de23

SHA512
79eeccba0f3a31323ae92fb089482a3da3cc888be5cfb10bbc261b6ad31368312378e2d4ccbea0e7702af9238c4065861065e5e8d52fba9cd2196e8c596fbb1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
2999817e7962207a5091a79e8f93edaf

SHA1
fde4ec03dfbca540e3108a7f2a6aefec9cb44400

SHA256
9749701bf7969edd8d4c0b4b5b1368c77d800fa7d3972b0229e03041f6fa9e14

SHA512
cf171e676870d95034d8c6dfcb2acca4f4f813cb5f28f467b7c1880756c209f623f1f2d431447343c63049dfd608acecf12f8484102f1209e13335cbd864c87e

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads