6340e23e4c3bdebc2accf31f84539e84ca37a2bbcadd16c86d35621723f2024f

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zapret-discord-youtube-main/check_updates.bat
Size

1KB
MD5

8ea8e2f841c62cb8a800e0ecb601850f
SHA1

fd456492a252ec263ed828ccb90935d4df5c9cb6
SHA256

d9e6be50f0960b1c38ed7771e710f1af359b53fe1390e7dc8524438ea3885585
SHA512

a5379aa37a1a04ac60d24a085abb2eddfaa97d511141b0764f34d86e67b3462ad627f4585dded8477676c228418a34e3f986147d6f43277caed526a0a554cc77

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1724	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1724	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1812	2960	cmd.exe	32
PID 2960 wrote to memory of 1812	2960	cmd.exe	32
PID 2960 wrote to memory of 1812	2960	cmd.exe	32
PID 2960 wrote to memory of 1096	2960	cmd.exe	33
PID 2960 wrote to memory of 1096	2960	cmd.exe	33
PID 2960 wrote to memory of 1096	2960	cmd.exe	33
PID 1096 wrote to memory of 1724	1096	cmd.exe	34
PID 1096 wrote to memory of 1724	1096	cmd.exe	34
PID 1096 wrote to memory of 1724	1096	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\zapret-discord-youtube-main\check_updates.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -TimeoutSec 5).Content.Trim()" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -TimeoutSec 5).Content.Trim()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-4-0x000007FEF62AE000-0x000007FEF62AF000-memory.dmp

Filesize
4KB

Download
memory/1724-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1724-7-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-6-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/1724-10-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-9-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-8-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-11-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-12-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download