Malware Analysis Report

2025-08-05 10:33

Sample ID 241107-s325waxmhq
Target b00fcf44d39868b94c9c6816320d155edf5123501f34c2e7d23670638bb73414
SHA256 b00fcf44d39868b94c9c6816320d155edf5123501f34c2e7d23670638bb73414
Tags
upx
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

b00fcf44d39868b94c9c6816320d155edf5123501f34c2e7d23670638bb73414

Threat Level: Likely benign

The file b00fcf44d39868b94c9c6816320d155edf5123501f34c2e7d23670638bb73414 was found to be: Likely benign.

Malicious Activity Summary

upx

UPX packed file

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert64.sys"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert64.sys"

C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert64.sys

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert64.sys"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\cygwin1.dll",#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\cygwin1.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2932-0-0x00007FFBC7DB0000-0x00007FFBC80C2000-memory.dmp

memory/2932-2-0x00007FFBC7DB0000-0x00007FFBC80C2000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe"

Network

N/A

Files

memory/3004-0-0x000007FEF5ED0000-0x000007FEF61E2000-memory.dmp

memory/3004-1-0x0000000100400000-0x0000000100446000-memory.dmp

memory/3004-4-0x0000000062800000-0x0000000062813000-memory.dmp

memory/3004-2-0x0000000100400000-0x0000000100446000-memory.dmp

memory/3004-5-0x000007FEF5ED0000-0x000007FEF61E2000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\discord.bat"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\discord.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe" --wf-tcp=443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-discord.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-tcp=443 --hostlist="list-discord.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\tls_clienthello_www_google_com.bin"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/4024-0-0x00007FFEC9D70000-0x00007FFECA082000-memory.dmp

memory/4024-1-0x0000000100400000-0x0000000100446000-memory.dmp

memory/4024-4-0x0000000062800000-0x0000000062813000-memory.dmp

memory/4024-2-0x0000000100400000-0x0000000100446000-memory.dmp

memory/4024-5-0x00007FFEC9D70000-0x00007FFECA082000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

137s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_discord.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4552 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_discord.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20241023-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\cygwin1.dll",#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\cygwin1.dll",#1

Network

N/A

Files

memory/2556-0-0x000007FEF5A70000-0x000007FEF5D82000-memory.dmp

memory/2556-2-0x000007FEF5750000-0x000007FEF5A62000-memory.dmp

memory/2556-1-0x000007FEF5A70000-0x000007FEF5D82000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\discord.bat"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\discord.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe" --wf-tcp=443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-discord.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-tcp=443 --hostlist="list-discord.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\tls_clienthello_www_google_com.bin"

Network

N/A

Files

memory/2344-0-0x000007FEF6240000-0x000007FEF6552000-memory.dmp

memory/2344-1-0x0000000100400000-0x0000000100446000-memory.dmp

memory/2344-2-0x0000000100400000-0x0000000100446000-memory.dmp

memory/2344-5-0x000007FEF6240000-0x000007FEF6552000-memory.dmp

memory/2344-4-0x0000000062800000-0x0000000062813000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_discord.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2168 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2168 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_discord.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_remove.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2492 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_remove.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_general.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1320 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1320 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_general.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

144s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_general.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 316 wrote to memory of 1088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 316 wrote to memory of 1088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_general.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

97s

Max time network

146s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_goodbye_discord.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 4400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2848 wrote to memory of 4400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_goodbye_discord.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

136s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\WinDivert.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp

Files

memory/5116-1-0x00007FFF26E10000-0x00007FFF27122000-memory.dmp

memory/5116-0-0x0000000100400000-0x0000000100446000-memory.dmp

memory/5116-4-0x0000000062800000-0x0000000062813000-memory.dmp

memory/5116-5-0x00007FFF26E10000-0x00007FFF27122000-memory.dmp

memory/5116-2-0x0000000100400000-0x0000000100446000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20241010-en

Max time kernel

14s

Max time network

18s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\general.bat"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\general.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\tls_clienthello_www_google_com.bin"

Network

N/A

Files

memory/1740-0-0x000007FEF6B80000-0x000007FEF6E92000-memory.dmp

memory/1740-1-0x0000000100400000-0x0000000100446000-memory.dmp

memory/1740-5-0x000007FEF6B80000-0x000007FEF6E92000-memory.dmp

memory/1740-4-0x0000000062800000-0x0000000062813000-memory.dmp

memory/1740-2-0x0000000100400000-0x0000000100446000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

136s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\general.bat"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\general.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe

"C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-udplen-increment=10 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split --dpi-desync-autottl=2 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\обходик — копия\bin\tls_clienthello_www_google_com.bin"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2632-0-0x00007FF8C1650000-0x00007FF8C1962000-memory.dmp

memory/2632-1-0x0000000100400000-0x0000000100446000-memory.dmp

memory/2632-2-0x0000000100400000-0x0000000100446000-memory.dmp

memory/2632-4-0x0000000062800000-0x0000000062813000-memory.dmp

memory/2632-5-0x00007FF8C1650000-0x00007FF8C1962000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win7-20240708-en

Max time kernel

118s

Max time network

118s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_goodbye_discord.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 620 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 620 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_goodbye_discord.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-07 15:39

Reported

2024-11-07 15:42

Platform

win10v2004-20241007-en

Max time kernel

100s

Max time network

135s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_remove.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4796 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\обходик — копия\service_remove.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A