Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/10/2024, 19:24
Behavioral task
behavioral1
Sample
discord_youtube.bat
Resource
win11-20241007-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
service_discord_youtube.bat
Resource
win11-20241007-en
8 signatures
150 seconds
General
-
Target
discord_youtube.bat
-
Size
866B
-
MD5
fb41e984a0f58a55d057b062059a6ee1
-
SHA1
7bd17cddd02464e0ac4de1201fac889bd229bb1d
-
SHA256
2c8c88df4eaf172e0ef39b4d6adedc3aa9d3ad04d3767cde8cadf997606144be
-
SHA512
b8d488c5b92aa79a522376e4d4192c9c8fc822e66111324516552897ec68e9c00c5731295a49cedae97154dd5fffe40f7053dd224a93591c1d0138035c9d61ec
Score
5/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/3112-0-0x00007FFA95380000-0x00007FFA95692000-memory.dmp upx behavioral1/memory/3112-4-0x00007FFA95380000-0x00007FFA95692000-memory.dmp upx -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3112 winws.exe Token: SeBackupPrivilege 3112 winws.exe Token: SeDebugPrivilege 3112 winws.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4864 wrote to memory of 2664 4864 cmd.exe 80 PID 4864 wrote to memory of 2664 4864 cmd.exe 80 PID 4864 wrote to memory of 3112 4864 cmd.exe 81 PID 4864 wrote to memory of 3112 4864 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\discord_youtube.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\bin\winws.exe"C:\Users\Admin\AppData\Local\Temp\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\bin\tls_clienthello_www_google_com.bin"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:996