6340e23e4c3bdebc2accf31f84539e84ca37a2bbcadd16c86d35621723f2024f

Analysis

max time kernel
30s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zapret-discord-youtube-main/service_install.bat
Size

3KB
MD5

283f64774d027af0ae0a59ecc3397916
SHA1

8be1681203250a584152f5ea024cbb1764e3cb34
SHA256

e11174d83067e63382106099d9e6636ad361294f982dcad3b5cfe4479b679361
SHA512

25b06ef5a6679578d39d5b44d1e788dbc8890b514b9613eee0eaf73f72ae2049aa74201049219cb2319019eb59d6db5cd732e1f4442725238869a4e41dc81da5

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4716	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
4092	powershell.exe
4716	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4092	powershell.exe
4092	powershell.exe
4716	powershell.exe
4716	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 5540	3192	cmd.exe	88
PID 3192 wrote to memory of 5540	3192	cmd.exe	88
PID 3192 wrote to memory of 4092	3192	cmd.exe	89
PID 3192 wrote to memory of 4092	3192	cmd.exe	89
PID 4092 wrote to memory of 4632	4092	powershell.exe	90
PID 4092 wrote to memory of 4632	4092	powershell.exe	90
PID 4632 wrote to memory of 4748	4632	cmd.exe	92
PID 4632 wrote to memory of 4748	4632	cmd.exe	92
PID 4632 wrote to memory of 4712	4632	cmd.exe	93
PID 4632 wrote to memory of 4712	4632	cmd.exe	93
PID 4632 wrote to memory of 4872	4632	cmd.exe	94
PID 4632 wrote to memory of 4872	4632	cmd.exe	94
PID 4872 wrote to memory of 4716	4872	cmd.exe	95
PID 4872 wrote to memory of 4716	4872	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\service_install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process 'cmd.exe' -ArgumentList '/k \"\"C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\service_install.bat\" admin\"' -Verb RunAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k ""C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\service_install.bat" admin"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4748
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -TimeoutSec 5).Content.Trim()" 2>nul
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -TimeoutSec 5).Content.Trim()"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
bda935162ef3064dc0dd5c669ceb9674

SHA1
a29a7423e8e071f93c19c6b8d3c235aec3536147

SHA256
de725fd263005484d842cebc52d76a64b5a5266af37a53b6c39a4774e95f7a34

SHA512
b672d78ef65628048f09f3d7b6895a3fd8f9eb335d58bed8e9a89b3f99715b2f9843e00f6d87ff3c362609971a8a4b43156e71974b92be4c0ea7db6e75ef6a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uowrx2ri.tei.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4092-0-0x00007FFC49913000-0x00007FFC49915000-memory.dmp

Filesize
8KB

Download
memory/4092-10-0x00000185A5890000-0x00000185A58B2000-memory.dmp

Filesize
136KB

Download
memory/4092-11-0x00007FFC49910000-0x00007FFC4A3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-12-0x00007FFC49910000-0x00007FFC4A3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-15-0x00007FFC49910000-0x00007FFC4A3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4716-27-0x000002B3007B0000-0x000002B300F56000-memory.dmp

Filesize
7.6MB

Download