Overview
overview
5Static
static
5䨪 ...rt.dll
windows7-x64
1䨪 ...rt.dll
windows10-2004-x64
1䨪 ...64.sys
windows10-2004-x64
1䨪 ...n1.dll
windows7-x64
5䨪 ...n1.dll
windows10-2004-x64
5䨪 ...ws.exe
windows7-x64
5䨪 ...ws.exe
windows10-2004-x64
5䨪 ...rd.bat
windows7-x64
5䨪 ...rd.bat
windows10-2004-x64
5䨪 ...be.bat
windows7-x64
5䨪 ...be.bat
windows10-2004-x64
5䨪 ...rd.bat
windows7-x64
1䨪 ...rd.bat
windows10-2004-x64
1䨪 ...be.bat
windows7-x64
1䨪 ...be.bat
windows10-2004-x64
1䨪 ...rd.bat
windows7-x64
1䨪 ...rd.bat
windows10-2004-x64
1䨪 ...ve.bat
windows7-x64
1䨪 ...ve.bat
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 16:20
Behavioral task
behavioral1
Sample
䨪 + /bin/WinDivert.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
䨪 + /bin/WinDivert.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
䨪 + /bin/WinDivert64.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
䨪 + /bin/cygwin1.dll
Resource
win7-20240708-en
Behavioral task
behavioral5
Sample
䨪 + /bin/cygwin1.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
䨪 + /bin/winws.exe
Resource
win7-20241010-en
Behavioral task
behavioral7
Sample
䨪 + /bin/winws.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
䨪 + /discord.bat
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
䨪 + /discord.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
䨪 + /discord_youtube.bat
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
䨪 + /discord_youtube.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
䨪 + /service_discord.bat
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
䨪 + /service_discord.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
䨪 + /service_discord_youtube.bat
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
䨪 + /service_discord_youtube.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
䨪 + /service_goodbye_discord.bat
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
䨪 + /service_goodbye_discord.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
䨪 + /service_remove.bat
Resource
win7-20240729-en
Behavioral task
behavioral19
Sample
䨪 + /service_remove.bat
Resource
win10v2004-20241007-en
General
-
Target
䨪 + /discord_youtube.bat
-
Size
866B
-
MD5
fb41e984a0f58a55d057b062059a6ee1
-
SHA1
7bd17cddd02464e0ac4de1201fac889bd229bb1d
-
SHA256
2c8c88df4eaf172e0ef39b4d6adedc3aa9d3ad04d3767cde8cadf997606144be
-
SHA512
b8d488c5b92aa79a522376e4d4192c9c8fc822e66111324516552897ec68e9c00c5731295a49cedae97154dd5fffe40f7053dd224a93591c1d0138035c9d61ec
Malware Config
Signatures
-
resource yara_rule behavioral10/memory/1712-0-0x000007FEF6A10000-0x000007FEF6D22000-memory.dmp upx behavioral10/memory/1712-5-0x000007FEF6A10000-0x000007FEF6D22000-memory.dmp upx -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1712 winws.exe Token: SeBackupPrivilege 1712 winws.exe Token: SeDebugPrivilege 1712 winws.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1852 2520 cmd.exe 31 PID 2520 wrote to memory of 1852 2520 cmd.exe 31 PID 2520 wrote to memory of 1852 2520 cmd.exe 31 PID 2520 wrote to memory of 1712 2520 cmd.exe 32 PID 2520 wrote to memory of 1712 2520 cmd.exe 32 PID 2520 wrote to memory of 1712 2520 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\䨪 + \discord_youtube.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:1852
-
-
C:\Users\Admin\AppData\Local\Temp\䨪 + \bin\winws.exe"C:\Users\Admin\AppData\Local\Temp\䨪 + \bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\䨪 + \bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\䨪 + \bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\䨪 + \bin\tls_clienthello_www_google_com.bin"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-