daf23fe9c7bf31cd3a54c81b9b719531e8a2635d7ba30b570dc0e4259222fc70

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 15:05

Target

zapret-discord-youtube-main/discord_youtube.bat
Size

868B
MD5

d142d810c39ba859f5904d4cc3386eb2
SHA1

c6b5c3550698460dca3fa414cdafe01ab971cea8
SHA256

5a65fa4a71d1f759fb8f8f00f62ea3ad1470a6b863632ab0ae8cadce99addde7
SHA512

2a07d7546a7fd47f9de2338c94bfe3c23692e55de419fbca753dd01dd257e609a6d6ff48fbd221095dc5eac86e50fd9f3ed95893aa615486cf0a566f052bdc87

Score

5^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral8/memory/2872-0-0x000007FEF5CF0000-0x000007FEF6002000-memory.dmp	upx
behavioral8/memory/2872-5-0x000007FEF5CF0000-0x000007FEF6002000-memory.dmp	upx

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2872	2292	cmd.exe	30
PID 2292 wrote to memory of 2872	2292	cmd.exe	30
PID 2292 wrote to memory of 2872	2292	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\discord_youtube.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\winws.exe
  "C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\winws.exe" --wf-tcp=80,443,50000-65535 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\list-general.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\quic_initial_www_google_com.bin" --new --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\tls_clienthello_www_google_com.bin" --new --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872

memory/2872-0-0x000007FEF5CF0000-0x000007FEF6002000-memory.dmp

Filesize
3.1MB

Download
memory/2872-1-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/2872-2-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/2872-5-0x000007FEF5CF0000-0x000007FEF6002000-memory.dmp

Filesize
3.1MB

Download
memory/2872-4-0x0000000062800000-0x0000000062813000-memory.dmp

Filesize
76KB

Download