6340e23e4c3bdebc2accf31f84539e84ca37a2bbcadd16c86d35621723f2024f

Analysis

max time kernel
17s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zapret-discord-youtube-main/service_remove.bat
Size

428B
MD5

97b2922ed1cb49c24cd7952c60f03a0c
SHA1

450fd1b4dd6233d0ea1b75d7c2bad6778fa3683f
SHA256

92304d7be76311f4a5ed0c815b36587ab33f7a703147862efe63e7a55c09a3c1
SHA512

187a108256d07782093ef92d72600d6552f4bd5d79883fdcb341dbfbb8dc760088da1dfcb06f6183789dd855e47b7b622ef9bc9a00d2334e9d1c16470f6a9041

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2804	sc.exe
2764	sc.exe
2736	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2032	2388	cmd.exe	31
PID 2388 wrote to memory of 2032	2388	cmd.exe	31
PID 2388 wrote to memory of 2032	2388	cmd.exe	31
PID 2388 wrote to memory of 2080	2388	cmd.exe	32
PID 2388 wrote to memory of 2080	2388	cmd.exe	32
PID 2388 wrote to memory of 2080	2388	cmd.exe	32
PID 2080 wrote to memory of 2712	2080	powershell.exe	33
PID 2080 wrote to memory of 2712	2080	powershell.exe	33
PID 2080 wrote to memory of 2712	2080	powershell.exe	33
PID 2712 wrote to memory of 2812	2712	cmd.exe	35
PID 2712 wrote to memory of 2812	2712	cmd.exe	35
PID 2712 wrote to memory of 2812	2712	cmd.exe	35
PID 2712 wrote to memory of 2836	2712	cmd.exe	36
PID 2712 wrote to memory of 2836	2712	cmd.exe	36
PID 2712 wrote to memory of 2836	2712	cmd.exe	36
PID 2836 wrote to memory of 2868	2836	net.exe	37
PID 2836 wrote to memory of 2868	2836	net.exe	37
PID 2836 wrote to memory of 2868	2836	net.exe	37
PID 2712 wrote to memory of 2804	2712	cmd.exe	38
PID 2712 wrote to memory of 2804	2712	cmd.exe	38
PID 2712 wrote to memory of 2804	2712	cmd.exe	38
PID 2712 wrote to memory of 2752	2712	cmd.exe	39
PID 2712 wrote to memory of 2752	2712	cmd.exe	39
PID 2712 wrote to memory of 2752	2712	cmd.exe	39
PID 2752 wrote to memory of 2728	2752	net.exe	40
PID 2752 wrote to memory of 2728	2752	net.exe	40
PID 2752 wrote to memory of 2728	2752	net.exe	40
PID 2712 wrote to memory of 2736	2712	cmd.exe	41
PID 2712 wrote to memory of 2736	2712	cmd.exe	41
PID 2712 wrote to memory of 2736	2712	cmd.exe	41
PID 2712 wrote to memory of 2036	2712	cmd.exe	42
PID 2712 wrote to memory of 2036	2712	cmd.exe	42
PID 2712 wrote to memory of 2036	2712	cmd.exe	42
PID 2036 wrote to memory of 2928	2036	net.exe	43
PID 2036 wrote to memory of 2928	2036	net.exe	43
PID 2036 wrote to memory of 2928	2036	net.exe	43
PID 2712 wrote to memory of 2764	2712	cmd.exe	44
PID 2712 wrote to memory of 2764	2712	cmd.exe	44
PID 2712 wrote to memory of 2764	2712	cmd.exe	44

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\service_remove.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process 'cmd.exe' -ArgumentList '/k \"\"C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\service_remove.bat\" admin\"' -Verb RunAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /k ""C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\service_remove.bat" admin"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2812
  - - C:\Windows\system32\net.exe
      net stop zapret
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop zapret
        5⤵
        
        PID:2868
  - - C:\Windows\system32\sc.exe
      sc delete zapret
      4⤵
      Launches sc.exe
      PID:2804
  - - C:\Windows\system32\net.exe
      net stop "WinDivert"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDivert"
        5⤵
        
        PID:2728
  - - C:\Windows\system32\sc.exe
      sc delete "WinDivert"
      4⤵
      Launches sc.exe
      PID:2736
  - - C:\Windows\system32\net.exe
      net stop "WinDivert14"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDivert14"
        5⤵
        
        PID:2928
  - - C:\Windows\system32\sc.exe
      sc delete "WinDivert14"
      4⤵
      Launches sc.exe
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2080-4-0x000007FEF536E000-0x000007FEF536F000-memory.dmp

Filesize
4KB

Download
memory/2080-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2080-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2080-7-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-8-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-9-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-10-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-11-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-12-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download