acfd8e0557e2efc01d981221e5e5e0fcd68f7231a72d3d46361294d9df43d984

General

Target

zippyuploader.bat
Size

107B
MD5

0fac231074f90878c2283b2561ed906c
SHA1

2c3421f0a6c20b8c6fb07ffe62526438a5169194
SHA256

acfd8e0557e2efc01d981221e5e5e0fcd68f7231a72d3d46361294d9df43d984
SHA512

fdc5f227244f4e0a76356aba17e38823e0e9bb0ffc344ce07b6bc9282c7192c08a9cbd42d157d13be0c378c9678aec4ea1ea6c7d663d21e732a73a2ceb6159b9

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

bad.exe

pid process

3064 bad.exe

pid	process
3064	bad.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bad.exe	upx
C:\Users\Admin\AppData\Local\Temp\bad.exe	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 33 IoCs

Processes:

bad.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	bad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	bad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	bad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	bad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	bad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	bad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	bad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	bad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	bad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	bad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	bad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	bad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	bad.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	bad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

bad.exe

pid process

3064 bad.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

bad.exe

pid process

3064 bad.exe
3064 bad.exe
3064 bad.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

bad.exe

pid process

3064 bad.exe
3064 bad.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

bad.exe

pid process

3064 bad.exe
3064 bad.exe
3064 bad.exe
3064 bad.exe
3064 bad.exe
3064 bad.exe
3064 bad.exe
3064 bad.exe

pid	process
3064	bad.exe

pid	process
3064	bad.exe
3064	bad.exe
3064	bad.exe

pid	process
3064	bad.exe
3064	bad.exe

pid	process
3064	bad.exe
3064	bad.exe
3064	bad.exe
3064	bad.exe
3064	bad.exe
3064	bad.exe
3064	bad.exe
3064	bad.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3584 wrote to memory of 3896	3584	cmd.exe	certutil.exe
PID 3584 wrote to memory of 3896	3584	cmd.exe	certutil.exe
PID 3584 wrote to memory of 3064	3584	cmd.exe	bad.exe
PID 3584 wrote to memory of 3064	3584	cmd.exe	bad.exe
PID 3584 wrote to memory of 3064	3584	cmd.exe	bad.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zippyuploader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\system32\certutil.exe
certutil.exe -urlcache -f https://www.zippyshare.com/zippyuploader/ZippyUploader.exe bad.exe
2⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\bad.exe
bad.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3064

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bad.exe

MD5
ed323324bff4fbe54be6040ef429862c

SHA1
2182d6953bc33050d44ca585ca3e6e64cd0a6864

SHA256
88184dea2107e5fc67d1901391963b4b7a94381407c9fbb20936269acff6c442

SHA512
72511481199722a7d31ff3a50ac0a9f9126f8d124c22f1bb0457a43466ee2263c1bd5012209ee2f426dfcc17645842098e2594321eae3562dde86b25ade6831b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad.exe

MD5
ed323324bff4fbe54be6040ef429862c

SHA1
2182d6953bc33050d44ca585ca3e6e64cd0a6864

SHA256
88184dea2107e5fc67d1901391963b4b7a94381407c9fbb20936269acff6c442

SHA512
72511481199722a7d31ff3a50ac0a9f9126f8d124c22f1bb0457a43466ee2263c1bd5012209ee2f426dfcc17645842098e2594321eae3562dde86b25ade6831b

Download Submit
memory/3064-116-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads