Overview
overview
10Static
static
1stodio.bat
windows7-x64
1stodio.bat
windows10-2004-x64
1stodio.ps1
windows7-x64
10stodio.ps1
windows10-2004-x64
10stodio.vbs
windows7-x64
3stodio.vbs
windows10-2004-x64
7zilla.bat
windows7-x64
1zilla.bat
windows10-2004-x64
1zilla.ps1
windows7-x64
1zilla.ps1
windows10-2004-x64
1zilla.vbs
windows7-x64
3zilla.vbs
windows10-2004-x64
7Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:55
Static task
static1
Behavioral task
behavioral1
Sample
stodio.bat
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
stodio.bat
Resource
win10v2004-20231130-en
Behavioral task
behavioral3
Sample
stodio.ps1
Resource
win7-20231201-en
Behavioral task
behavioral4
Sample
stodio.ps1
Resource
win10v2004-20231130-en
Behavioral task
behavioral5
Sample
stodio.vbs
Resource
win7-20231201-en
Behavioral task
behavioral6
Sample
stodio.vbs
Resource
win10v2004-20231130-en
Behavioral task
behavioral7
Sample
zilla.bat
Resource
win7-20231130-en
Behavioral task
behavioral8
Sample
zilla.bat
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
zilla.ps1
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
zilla.ps1
Resource
win10v2004-20231127-en
Behavioral task
behavioral11
Sample
zilla.vbs
Resource
win7-20231023-en
Behavioral task
behavioral12
Sample
zilla.vbs
Resource
win10v2004-20231127-en
General
-
Target
zilla.bat
-
Size
239B
-
MD5
fdfe802abefe653f23aeedf7762fa12a
-
SHA1
f5b98a87c74c2919b9e27871ea8b4c2ce8acfad2
-
SHA256
af3c368631fb276e5e2e97d082d0b1222ed0db7d327fc699f35106e071c7f33d
-
SHA512
97ab620c439f3c715788a59925c00d224d47d06a5d7eec1786d6bcb0d66523532cadef9703a0488a597fdae6bf14e1817f0678bff7b824282f7ff70b6920e217
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2212 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2212 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2384 wrote to memory of 2212 2384 cmd.exe powershell.exe PID 2384 wrote to memory of 2212 2384 cmd.exe powershell.exe PID 2384 wrote to memory of 2212 2384 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\zilla.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\zilla.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212