d3ef86049ff983b3e0cb59b537aadf962de420570a23b5ee61d2fa3145fcf667

General

Target

KaneMEMZ.exe
Size

1.1MB
MD5

f7198a6161828d31781f77bbaa759bb7
SHA1

e9d3132fff5df2163c48c617421d6bf5b6e90f18
SHA256

d3ef86049ff983b3e0cb59b537aadf962de420570a23b5ee61d2fa3145fcf667
SHA512

74ef6cf7e19135f4c0eb90e4f284a5eca65de4c2fc18510ad9c61f9463653e3c80b40c15031208cf44f6762757d9cd7be7cc62eb5c1effccfd655f497a36fbba
SSDEEP

24576:YizhS0x6VkEx8ojX1NQX3eCH4xtp4jRtSCwZLn3VZzqnON20H:dJETQX1Yxti4T/

Score

7^/10

bootkit discovery persistence ransomware

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2348	MBR.exe
3632	T.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBR.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\MEMZ.jpg"	KaneMEMZ.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KaneMEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBR.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallpaperStyle = "2"	KaneMEMZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\TileWallpaper = "2"	KaneMEMZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3520	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3520	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5108	KaneMEMZ.exe
5108	KaneMEMZ.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe
3632	T.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 2348	5108	KaneMEMZ.exe	95
PID 5108 wrote to memory of 2348	5108	KaneMEMZ.exe	95
PID 5108 wrote to memory of 2348	5108	KaneMEMZ.exe	95
PID 5108 wrote to memory of 4368	5108	KaneMEMZ.exe	96
PID 5108 wrote to memory of 4368	5108	KaneMEMZ.exe	96
PID 5108 wrote to memory of 4368	5108	KaneMEMZ.exe	96
PID 5108 wrote to memory of 3632	5108	KaneMEMZ.exe	98
PID 5108 wrote to memory of 3632	5108	KaneMEMZ.exe	98
PID 5108 wrote to memory of 3632	5108	KaneMEMZ.exe	98

C:\Users\Admin\AppData\Local\Temp\KaneMEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\KaneMEMZ.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\MBR.exe
  C:\Users\Admin\AppData\Local\Temp\\MBR.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\\note.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4368
- C:\Users\Admin\AppData\Local\Temp\T.exe
  C:\Users\Admin\AppData\Local\Temp\\T.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MBR.exe

Filesize
11KB

MD5
62e84719950c1e880337a2227170777b

SHA1
fbe18bb919391e75453cedc34bfd13f35a7874c9

SHA256
5b6c61fb89e825dddcf86fbe9c0c507409c141a92d9725b3cd0258207436597e

SHA512
22d2996f8a02c18303e49b41a6f44e0ea861f70a1cb0afff13b44ebce7038f420693060a860e4e863cf025f789ca05f5eb20c1269e77f3ba9bd16597c125acb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\T.exe

Filesize
83KB

MD5
a9ad6ca7d99a8ad21d7f197b5e82be06

SHA1
8ef7889957a8d086ad03994bda4a3cf04eb1afe5

SHA256
a1c3c84cc5943818fc3b321ba28bca076ee8aba91c33dac51695d9eb685e437c

SHA512
35e48422f9626006fcb9e6bf7ea44f3d9a615b4004ab407d46c02aae8475910722fadd9348a9b8f2181a2739c271a2b2f539d97fe799a4818b4fb81a1271d719

Download Submit
C:\Users\Admin\AppData\Local\Temp\note.txt

Filesize
266B

MD5
a8bab44204bfb44e32bbd92c354fee4e

SHA1
3f82017f8e72d77061e5b265d44a510fa9113a5a

SHA256
909a4793c5681687646f04d024c4741605dc11ab2f54956457417031965b05a6

SHA512
7014bfc27d21fd8f87ae453a3c974503d390e317efa526c121124fb1da7601dff399459d5a9d37a471c52a9e978d5191a06ed5a28645674013b6d058baa56db1

Download Submit
C:\Users\Admin\Desktop\MEMZ22027.jpg

Filesize
875B

MD5
b76b5675d91e9a9945e4b4b5bfb45942

SHA1
1e5cc4a895254de3b87dca4455a1ea5221bbfdcd

SHA256
43cbbfe3d93ad0aefd77ce3bd68fcde826f1dcf8eea5b551b24aefaf937bd43c

SHA512
cfacc0a8c8e791309ccaf1fd98fa84ab9dd084025d3c6140fa0402e28fea8eb221eff717218e268d4e549aed8e3e8dce545cf5b4ca1d19fdf1723ca11820b4de

Download Submit
memory/2348-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads