Analysis Overview
SHA256
b00fcf44d39868b94c9c6816320d155edf5123501f34c2e7d23670638bb73414
Threat Level: Likely benign
The file b00fcf44d39868b94c9c6816320d155edf5123501f34c2e7d23670638bb73414 was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-07 15:39
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert64.sys"
C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert64.sys
"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert64.sys"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\cygwin1.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2932-0-0x00007FFBC7DB0000-0x00007FFBC80C2000-memory.dmp
memory/2932-2-0x00007FFBC7DB0000-0x00007FFBC80C2000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe
"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe"
Network
Files
memory/3004-0-0x000007FEF5ED0000-0x000007FEF61E2000-memory.dmp
memory/3004-1-0x0000000100400000-0x0000000100446000-memory.dmp
memory/3004-4-0x0000000062800000-0x0000000062813000-memory.dmp
memory/3004-2-0x0000000100400000-0x0000000100446000-memory.dmp
memory/3004-5-0x000007FEF5ED0000-0x000007FEF61E2000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 3924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1740 wrote to memory of 3924 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1740 wrote to memory of 4024 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
| PID 1740 wrote to memory of 4024 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\discord.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe
"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe" --wf-tcp=443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-discord.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-tcp=443 --hostlist="list-discord.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\tls_clienthello_www_google_com.bin"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/4024-0-0x00007FFEC9D70000-0x00007FFECA082000-memory.dmp
memory/4024-1-0x0000000100400000-0x0000000100446000-memory.dmp
memory/4024-4-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4024-2-0x0000000100400000-0x0000000100446000-memory.dmp
memory/4024-5-0x00007FFEC9D70000-0x00007FFECA082000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
137s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4552 wrote to memory of 3556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 4552 wrote to memory of 3556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_discord.bat"
C:\Windows\system32\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert.dll",#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20241023-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\cygwin1.dll",#1
Network
Files
memory/2556-0-0x000007FEF5A70000-0x000007FEF5D82000-memory.dmp
memory/2556-2-0x000007FEF5750000-0x000007FEF5A62000-memory.dmp
memory/2556-1-0x000007FEF5A70000-0x000007FEF5D82000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1852 wrote to memory of 2332 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1852 wrote to memory of 2332 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1852 wrote to memory of 2332 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1852 wrote to memory of 2344 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
| PID 1852 wrote to memory of 2344 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
| PID 1852 wrote to memory of 2344 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\discord.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe
"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe" --wf-tcp=443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-discord.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-tcp=443 --hostlist="list-discord.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\tls_clienthello_www_google_com.bin"
Network
Files
memory/2344-0-0x000007FEF6240000-0x000007FEF6552000-memory.dmp
memory/2344-1-0x0000000100400000-0x0000000100446000-memory.dmp
memory/2344-2-0x0000000100400000-0x0000000100446000-memory.dmp
memory/2344-5-0x000007FEF6240000-0x000007FEF6552000-memory.dmp
memory/2344-4-0x0000000062800000-0x0000000062813000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 2376 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2168 wrote to memory of 2376 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2168 wrote to memory of 2376 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_discord.bat"
C:\Windows\system32\chcp.com
chcp 65001
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 2276 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2492 wrote to memory of 2276 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2492 wrote to memory of 2276 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_remove.bat"
C:\Windows\system32\chcp.com
chcp 65001
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1320 wrote to memory of 2460 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1320 wrote to memory of 2460 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1320 wrote to memory of 2460 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_general.bat"
C:\Windows\system32\chcp.com
chcp 65001
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
144s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 316 wrote to memory of 1088 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 316 wrote to memory of 1088 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_general.bat"
C:\Windows\system32\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
97s
Max time network
146s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2848 wrote to memory of 4400 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2848 wrote to memory of 4400 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_goodbye_discord.bat"
C:\Windows\system32\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.208.201.84.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe
"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
Files
memory/5116-1-0x00007FFF26E10000-0x00007FFF27122000-memory.dmp
memory/5116-0-0x0000000100400000-0x0000000100446000-memory.dmp
memory/5116-4-0x0000000062800000-0x0000000062813000-memory.dmp
memory/5116-5-0x00007FFF26E10000-0x00007FFF27122000-memory.dmp
memory/5116-2-0x0000000100400000-0x0000000100446000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20241010-en
Max time kernel
14s
Max time network
18s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 2028 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2220 wrote to memory of 2028 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2220 wrote to memory of 2028 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2220 wrote to memory of 1740 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
| PID 2220 wrote to memory of 1740 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
| PID 2220 wrote to memory of 1740 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\general.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe
"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\tls_clienthello_www_google_com.bin"
Network
Files
memory/1740-0-0x000007FEF6B80000-0x000007FEF6E92000-memory.dmp
memory/1740-1-0x0000000100400000-0x0000000100446000-memory.dmp
memory/1740-5-0x000007FEF6B80000-0x000007FEF6E92000-memory.dmp
memory/1740-4-0x0000000062800000-0x0000000062813000-memory.dmp
memory/1740-2-0x0000000100400000-0x0000000100446000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
136s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3316 wrote to memory of 2964 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 3316 wrote to memory of 2964 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 3316 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
| PID 3316 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\general.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe
"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\tls_clienthello_www_google_com.bin"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2632-0-0x00007FF8C1650000-0x00007FF8C1962000-memory.dmp
memory/2632-1-0x0000000100400000-0x0000000100446000-memory.dmp
memory/2632-2-0x0000000100400000-0x0000000100446000-memory.dmp
memory/2632-4-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2632-5-0x00007FF8C1650000-0x00007FF8C1962000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win7-20240708-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 620 wrote to memory of 1856 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 620 wrote to memory of 1856 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 620 wrote to memory of 1856 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_goodbye_discord.bat"
C:\Windows\system32\chcp.com
chcp 65001
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-07 15:39
Reported
2024-11-07 15:42
Platform
win10v2004-20241007-en
Max time kernel
100s
Max time network
135s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4796 wrote to memory of 5080 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 4796 wrote to memory of 5080 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_remove.bat"
C:\Windows\system32\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |