6340e23e4c3bdebc2accf31f84539e84ca37a2bbcadd16c86d35621723f2024f

Analysis

max time kernel
15s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zapret-discord-youtube-main/general (ALT).bat
Size

881B
MD5

f1f093d295672e44ba0e9c160517ce2b
SHA1

c39c995961b18082d27f93aee7da26c9db6e0591
SHA256

c6c4fcc026faa76ba0fbe5e09ad852152f98710fc69652bb95633c08fb345ed3
SHA512

bbaf66e31c246e19c1e0ebbd8ac2090c7ec6be9518f0ef86f0952b7ee053ae70bbe7a611e91147fc6094c31dd25e85e9ece93f2ef326abe9aa87b67b4d51446e

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2692	sc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2764	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeRestorePrivilege	2568	winws.exe
Token: SeBackupPrivilege	2568	winws.exe
Token: SeDebugPrivilege	2568	winws.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2192	3040	cmd.exe	32
PID 3040 wrote to memory of 2192	3040	cmd.exe	32
PID 3040 wrote to memory of 2192	3040	cmd.exe	32
PID 3040 wrote to memory of 2652	3040	cmd.exe	33
PID 3040 wrote to memory of 2652	3040	cmd.exe	33
PID 3040 wrote to memory of 2652	3040	cmd.exe	33
PID 3040 wrote to memory of 2684	3040	cmd.exe	34
PID 3040 wrote to memory of 2684	3040	cmd.exe	34
PID 3040 wrote to memory of 2684	3040	cmd.exe	34
PID 2684 wrote to memory of 2692	2684	cmd.exe	35
PID 2684 wrote to memory of 2692	2684	cmd.exe	35
PID 2684 wrote to memory of 2692	2684	cmd.exe	35
PID 2684 wrote to memory of 2744	2684	cmd.exe	36
PID 2684 wrote to memory of 2744	2684	cmd.exe	36
PID 2684 wrote to memory of 2744	2684	cmd.exe	36
PID 3040 wrote to memory of 2756	3040	cmd.exe	37
PID 3040 wrote to memory of 2756	3040	cmd.exe	37
PID 3040 wrote to memory of 2756	3040	cmd.exe	37
PID 3040 wrote to memory of 2768	3040	cmd.exe	38
PID 3040 wrote to memory of 2768	3040	cmd.exe	38
PID 3040 wrote to memory of 2768	3040	cmd.exe	38
PID 2768 wrote to memory of 2764	2768	cmd.exe	39
PID 2768 wrote to memory of 2764	2768	cmd.exe	39
PID 2768 wrote to memory of 2764	2768	cmd.exe	39
PID 3040 wrote to memory of 2568	3040	cmd.exe	40
PID 3040 wrote to memory of 2568	3040	cmd.exe	40
PID 3040 wrote to memory of 2568	3040	cmd.exe	40

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\general (ALT).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2192
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc query "zapret" | findstr /i "STATE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\sc.exe
    sc query "zapret"
    3⤵
    - Launches sc.exe
    PID:2692
- - C:\Windows\system32\findstr.exe
    findstr /i "STATE"
    3⤵
    PID:2744
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -TimeoutSec 5).Content.Trim()" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -TimeoutSec 5).Content.Trim()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\bin\winws.exe
  "C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-50100 --ipset="ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split --dpi-desync-autottl=5 --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\bin\tls_clienthello_www_google_com.bin"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2568-12-0x000007FEF63B0000-0x000007FEF66B2000-memory.dmp

Filesize
3.0MB

Download
memory/2568-13-0x0000000100400000-0x0000000100432000-memory.dmp

Filesize
200KB

Download
memory/2568-15-0x0000000062800000-0x0000000062813000-memory.dmp

Filesize
76KB

Download
memory/2568-16-0x000007FEF63B0000-0x000007FEF66B2000-memory.dmp

Filesize
3.0MB

Download
memory/2764-4-0x000007FEF4F9E000-0x000007FEF4F9F000-memory.dmp

Filesize
4KB

Download
memory/2764-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2764-7-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2764-8-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-9-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-10-0x000000000297B000-0x00000000029E2000-memory.dmp

Filesize
412KB

Download
memory/2764-11-0x000007FEF4CE0000-0x000007FEF567D000-memory.dmp

Filesize
9.6MB

Download