daf23fe9c7bf31cd3a54c81b9b719531e8a2635d7ba30b570dc0e4259222fc70

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 15:05

Target

zapret-discord-youtube-main/service_remove.bat
Size

65B
MD5

2b13379ee5f8beb73328aaad75595a37
SHA1

c6684a0bf1df59e315c97d0f3ef677937aaefd71
SHA256

f014eadf2e5b66b44cf2806bfa06ce91f156f86f823e7a6be279bb757a9103f7
SHA512

faa5c34d60b987611bf76be6cfcec1bc3452f1a89aba1f081bb0ed8ba4b8d6f1502105a54143d10b31bc41958ec79a84d16611618e55c8b40a551e7ceb621fb4

Score

8^/10

evasion execution

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4224	sc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1856	4248	cmd.exe	84
PID 4248 wrote to memory of 1856	4248	cmd.exe	84
PID 1856 wrote to memory of 3932	1856	net.exe	85
PID 1856 wrote to memory of 3932	1856	net.exe	85
PID 4248 wrote to memory of 4224	4248	cmd.exe	87
PID 4248 wrote to memory of 4224	4248	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\service_remove.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\system32\net.exe
  net stop "zapret"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "zapret"
    3⤵
    PID:3932
- C:\Windows\system32\sc.exe
  sc delete "zapret"
  2⤵
  - Launches sc.exe
  PID:4224