Analysis
-
max time kernel
440s -
max time network
441s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-08-2024 05:30
Static task
static1
General
-
Target
ZappyXyim.bat
-
Size
2KB
-
MD5
20b8d1634542deafd73b6ad9562517ce
-
SHA1
5685e7b7208e5849da8a895999fa3d7eea613b9b
-
SHA256
22cee64f347b6809c6d45d2aa28c88e02cece8f8ca3a6017b3c0341180fb4bfb
-
SHA512
8a55eaa4c3472b93626d7d1cc3c08471e71e71580e7fa5288514d2e69bf7c92a8a0f309129d6c9ccb33838579d7414e7e3dd9fabadd0a5364a6b520b409b6a6e
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 3 876 powershell.exe 4 876 powershell.exe 5 876 powershell.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 876 powershell.exe 876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 876 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1492 wrote to memory of 876 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 876 1492 cmd.exe powershell.exe PID 1492 wrote to memory of 1436 1492 cmd.exe bitsadmin.exe PID 1492 wrote to memory of 1436 1492 cmd.exe bitsadmin.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ZappyXyim.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { Invoke-WebRequest -Uri 'https://github.com/git-for-windows/git/releases/latest/download/Git-2.41.0-64-bit.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\GitSetup.exe' } catch { exit 1 }"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\system32\bitsadmin.exebitsadmin /transfer "GitDownloadJob" https://github.com/git-for-windows/git/releases/latest/download/Git-2.41.0-64-bit.exe C:\Users\Admin\AppData\Local\Temp\GitSetup.exe2⤵
- Download via BitsAdmin
PID:1436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82