Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/10/2024, 19:24
Behavioral task
behavioral1
Sample
discord_youtube.bat
Resource
win11-20241007-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
service_discord_youtube.bat
Resource
win11-20241007-en
8 signatures
150 seconds
General
-
Target
service_discord_youtube.bat
-
Size
1KB
-
MD5
6457e714a70eb8ed34bdedfabe22a3b0
-
SHA1
faaa36daee676eb6ff1a1e12f4577e509520fad0
-
SHA256
f1312377f6ea6cbc873ff90a9fde5b17392f335c225c133754d05a40125b42cb
-
SHA512
0fefa9b8dad045025f2dc42d9d83e4e1d22d8f5df0fd6fd2be9d883c72f5dbd7a4392594108cc8a0f75d8dc7d519f2561e02b37a53762a96f320087de18a002a
Score
8/10
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
resource yara_rule behavioral2/memory/564-0-0x00007FFE1CD30000-0x00007FFE1D042000-memory.dmp upx behavioral2/memory/564-5-0x00007FFE1CD30000-0x00007FFE1D042000-memory.dmp upx -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4152 sc.exe 5016 sc.exe 2960 sc.exe 740 sc.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 564 winws.exe Token: SeBackupPrivilege 564 winws.exe Token: SeDebugPrivilege 564 winws.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3904 wrote to memory of 1984 3904 cmd.exe 78 PID 3904 wrote to memory of 1984 3904 cmd.exe 78 PID 3904 wrote to memory of 1680 3904 cmd.exe 79 PID 3904 wrote to memory of 1680 3904 cmd.exe 79 PID 1680 wrote to memory of 4156 1680 net.exe 80 PID 1680 wrote to memory of 4156 1680 net.exe 80 PID 3904 wrote to memory of 4152 3904 cmd.exe 81 PID 3904 wrote to memory of 4152 3904 cmd.exe 81 PID 3904 wrote to memory of 5016 3904 cmd.exe 82 PID 3904 wrote to memory of 5016 3904 cmd.exe 82 PID 3904 wrote to memory of 740 3904 cmd.exe 83 PID 3904 wrote to memory of 740 3904 cmd.exe 83 PID 3904 wrote to memory of 2960 3904 cmd.exe 84 PID 3904 wrote to memory of 2960 3904 cmd.exe 84
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\service_discord_youtube.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:1984
-
-
C:\Windows\system32\net.exenet stop zapret2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zapret3⤵PID:4156
-
-
-
C:\Windows\system32\sc.exesc delete zapret2⤵
- Launches sc.exe
PID:4152
-
-
C:\Windows\system32\sc.exesc create zapret binPath= "\"C:\Users\Admin\AppData\Local\Temp\bin\winws.exe\" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist=\"C:\Users\Admin\AppData\Local\Temp\list-general.txt\" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic=\"C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin\" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-quic=\"C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin\" --new --filter-tcp=80 --hostlist=\"C:\Users\Admin\AppData\Local\Temp\list-general.txt\" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist=\"C:\Users\Admin\AppData\Local\Temp\list-general.txt\" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls=\"C:\Users\Admin\AppData\Local\Temp\bin\tls_clienthello_www_google_com.bin\"" DisplayName= "zapret DPI bypass : zapret" start= auto2⤵
- Launches sc.exe
PID:5016
-
-
C:\Windows\system32\sc.exesc description zapret "zapret DPI bypass software"2⤵
- Launches sc.exe
PID:740
-
-
C:\Windows\system32\sc.exesc start zapret2⤵
- Launches sc.exe
PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\bin\winws.exe"C:\Users\Admin\AppData\Local\Temp\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\list-general.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="C:\Users\Admin\AppData\Local\Temp\list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\bin\tls_clienthello_www_google_com.bin"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:564