URL:

https://github.com/MEMZ-Virus-Download/MEMZ/releases

Full analysis: https://app.any.run/tasks/5330439c-aa16-4b7d-a02c-83e6044a377e
Verdict: Malicious activity
Analysis date: February 04, 2022, 21:56:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

89DBE7904BA54A3A0BDB5C730BA419F6

SHA1:

9505D7A6F241AFF66806298C6F54CE5C6C9ED93E

SHA256:

B6CA641F65A3617D41FBA079DE971449B63EF00559B9E6EB675E59C1E9D3A61A

SSDEEP:

3:N8tEd6jDIjLEE89o//h2n:2ueY+WMn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MEMZ-Clean.exe (PID: 4072)
      • MEMZ.exe (PID: 3776)
      • MEMZ.exe (PID: 3424)
      • MEMZ.exe (PID: 1292)
      • MEMZ.exe (PID: 3740)
      • MEMZ.exe (PID: 2300)
      • MEMZ.exe (PID: 1292)
      • MEMZ.exe (PID: 1652)
      • MEMZ.exe (PID: 3004)
      • MEMZ.exe (PID: 568)
    • Drops executable file immediately after starts

      • cscript.exe (PID: 564)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3720)
      • iexplore.exe (PID: 2624)
      • iexplore.exe (PID: 3208)
    • Checks supported languages

      • WinRAR.exe (PID: 1024)
      • MEMZ-Clean.exe (PID: 4072)
      • cscript.exe (PID: 564)
      • cmd.exe (PID: 1176)
      • MEMZ.exe (PID: 3424)
      • MEMZ.exe (PID: 3740)
      • MEMZ.exe (PID: 2300)
      • MEMZ.exe (PID: 1292)
      • MEMZ.exe (PID: 1652)
      • MEMZ.exe (PID: 568)
      • MEMZ.exe (PID: 3004)
    • Reads the computer name

      • WinRAR.exe (PID: 1024)
      • cscript.exe (PID: 564)
      • cmd.exe (PID: 1176)
      • MEMZ.exe (PID: 3424)
      • MEMZ.exe (PID: 568)
    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 1024)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1024)
      • cscript.exe (PID: 564)
    • Creates files in the user directory

      • cscript.exe (PID: 564)
    • Executes scripts

      • cmd.exe (PID: 1176)
    • Application launched itself

      • MEMZ.exe (PID: 3424)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2624)
      • iexplore.exe (PID: 3208)
      • iexplore.exe (PID: 3720)
      • notepad.exe (PID: 2224)
    • Reads the computer name

      • iexplore.exe (PID: 3720)
      • iexplore.exe (PID: 2624)
      • iexplore.exe (PID: 3208)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3208)
      • iexplore.exe (PID: 2624)
      • iexplore.exe (PID: 3720)
    • Creates files in the user directory

      • iexplore.exe (PID: 3720)
      • iexplore.exe (PID: 2624)
      • iexplore.exe (PID: 3208)
    • Changes internet zones settings

      • iexplore.exe (PID: 3208)
    • Application launched itself

      • iexplore.exe (PID: 3208)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3208)
      • iexplore.exe (PID: 2624)
      • iexplore.exe (PID: 3720)
      • cscript.exe (PID: 564)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2624)
      • iexplore.exe (PID: 3720)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3208)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
17
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe iexplore.exe winrar.exe memz-clean.exe no specs cmd.exe no specs cscript.exe memz.exe no specs memz.exe no specs memz.exe memz.exe no specs memz.exe no specs memz.exe no specs memz.exe no specs memz.exe no specs memz.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3208"C:\Program Files\Internet Explorer\iexplore.exe" "https://github.com/MEMZ-Virus-Download/MEMZ/releases"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3720"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3208 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2624"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3208 CREDAT:4068619 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1024"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\MEMZ.4.0.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
4072"C:\Users\admin\AppData\Local\Temp\Rar$EXa1024.253\MEMZ 4.0\MEMZ-Clean.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1024.253\MEMZ 4.0\MEMZ-Clean.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1024.253\memz 4.0\memz-clean.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1176C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa1024.496\MEMZ-Destructive.bat" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
564cscript x.js C:\Windows\system32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft � Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1292"C:\Users\admin\AppData\Roaming\MEMZ.exe" C:\Users\admin\AppData\Roaming\MEMZ.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\memz.exe
c:\windows\system32\ntdll.dll
3776"C:\Users\admin\AppData\Roaming\MEMZ.exe" C:\Users\admin\AppData\Roaming\MEMZ.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\memz.exe
c:\windows\system32\ntdll.dll
3424"C:\Users\admin\AppData\Roaming\MEMZ.exe" C:\Users\admin\AppData\Roaming\MEMZ.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\memz.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
22 372
Read events
22 114
Write events
257
Delete events
1

Modification events

(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
483446864
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30939666
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
783455614
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30939666
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3208) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
3
Suspicious files
26
Text files
156
Unknown types
14

Dropped files

PID
Process
Filename
Type
3720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\qsml[1].htmxml
MD5:ACBF6331BD418BB7C17AD4A8B015481E
SHA256:EF6B495E59B4940ADC5D618C7692536308D7BE5340954FB1CC0000B00B98A38E
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\38DQY2L7.txttext
MD5:2B5CDACF90BA33371CBCC29E0DD7F958
SHA256:FA358B6CAC934A5AB145AC128B6864C388C36127911F7CAC09D06B3654FBBFF7
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\40YNSPYW.txttext
MD5:AF2DB5677564C78D3EF403FBD5EE9212
SHA256:B7E6B608E87E6EB269A4904E6022079910A32A70470F574EF94A19ED80A7428D
3208iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:2D60219813B16A8D4B3EB05D231E45C5
SHA256:BAE0E5169341F37F13A591D5D1D85074CD9DD6147B46B2BF6E63D9AF062C2ACF
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\I8IUAD7F.txttext
MD5:BF6ADE3309DDD50D1B567ECE0C373A48
SHA256:6F4DAD9BB04A5465942444D03BBA8DBC026EBB55EBFF4C8838ECD61A55735AC7
3720iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7H95PPVX.txttext
MD5:FC513F22111FCE9944270B5D7279611D
SHA256:862AC6DA22327CE2492E78199D92655316D61D720562DD8010B521AC9CCFA962
3720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\qsml[1].htmxml
MD5:D716052F51B648120BB1D1911DC3D8F2
SHA256:1FD59A437872BAA63FBBEC8A2185B3A97238941EC669F1C373C956E903D91AD4
3720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\qsml[1].xmlxml
MD5:D716052F51B648120BB1D1911DC3D8F2
SHA256:1FD59A437872BAA63FBBEC8A2185B3A97238941EC669F1C373C956E903D91AD4
3208iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3208iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:B613B59BF833D273C5AE2BC6AE56AFDA
SHA256:FFDC4CBBE42E0DD566CD5461C48C4F23E8660D758E8BA7E6711FEAAF5156879C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
51
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3720
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
3720
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTGMlruL6P9M9B3if1rTM7wyj%2FQKQQUUGGmoNI1xBEqII0fD6xC8M0pz0sCEA6L83cNktGW8Lth%2BTxBZr4%3D
US
der
279 b
whitelisted
3208
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3720
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAZnA1u7FP1jr8DWqFNO%2FhY%3D
US
der
471 b
whitelisted
2624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3720
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3208
iexplore.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?827d66014578e129
US
compressed
4.70 Kb
whitelisted
3208
iexplore.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ece1ce4496c7b8b
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3208
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3720
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2624
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3720
iexplore.exe
13.107.5.80:443
api.bing.com
Microsoft Corporation
US
whitelisted
3208
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3208
iexplore.exe
13.107.4.50:80
ctldl.windowsupdate.com
Microsoft Corporation
US
whitelisted
2624
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
185.199.111.154:443
github.githubassets.com
GitHub, Inc.
NL
suspicious
3720
iexplore.exe
185.199.111.154:443
github.githubassets.com
GitHub, Inc.
NL
suspicious

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.3
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 13.107.4.50
  • 8.248.131.254
  • 8.248.133.254
  • 8.248.141.254
  • 8.248.145.254
  • 67.27.157.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
login.microsoftonline.com
  • 20.190.160.2
  • 20.190.160.134
  • 20.190.160.136
  • 20.190.160.69
  • 20.190.160.129
  • 20.190.160.8
  • 20.190.160.6
  • 20.190.160.73
whitelisted
github.githubassets.com
  • 185.199.111.154
  • 185.199.110.154
  • 185.199.109.154
  • 185.199.108.154
whitelisted
avatars.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
github-cloud.s3.amazonaws.com
  • 52.217.163.153
shared
user-images.githubusercontent.com
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted

Threats

No threats detected
No debug info