c3ca22229ddec34ef4b740ccb18e6241d4a1ad4bf218960ae1a24828bb42eb77

Resubmissions

12/10/2024, 19:24

12/10/2024, 19:03

max time kernel
147s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12/10/2024, 19:24

Target

discord_youtube.bat
Size

866B
MD5

fb41e984a0f58a55d057b062059a6ee1
SHA1

7bd17cddd02464e0ac4de1201fac889bd229bb1d
SHA256

2c8c88df4eaf172e0ef39b4d6adedc3aa9d3ad04d3767cde8cadf997606144be
SHA512

b8d488c5b92aa79a522376e4d4192c9c8fc822e66111324516552897ec68e9c00c5731295a49cedae97154dd5fffe40f7053dd224a93591c1d0138035c9d61ec

Score

5^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/3112-0-0x00007FFA95380000-0x00007FFA95692000-memory.dmp	upx
behavioral1/memory/3112-4-0x00007FFA95380000-0x00007FFA95692000-memory.dmp	upx

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2664	4864	cmd.exe	80
PID 4864 wrote to memory of 2664	4864	cmd.exe	80
PID 4864 wrote to memory of 3112	4864	cmd.exe	81
PID 4864 wrote to memory of 3112	4864	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\discord_youtube.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\bin\winws.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\bin\tls_clienthello_www_google_com.bin"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:996

memory/3112-0-0x00007FFA95380000-0x00007FFA95692000-memory.dmp

Filesize
3.1MB

Download
memory/3112-1-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/3112-4-0x00007FFA95380000-0x00007FFA95692000-memory.dmp

Filesize
3.1MB

Download
memory/3112-3-0x0000000062800000-0x0000000062813000-memory.dmp

Filesize
76KB

Download
memory/3112-2-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download