File name:

zapret.exe

Full analysis: https://app.any.run/tasks/03ca05f8-3ea8-4829-a281-dd71cfb3fe9f
Verdict: Malicious activity
Analysis date: November 24, 2024, 10:07:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
github
python
pyinstaller
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

B334E071601498FE209FA9553B37D7AD

SHA1:

D41A57E6AC317D9F7A192ED8502B3C138B16D3E6

SHA256:

889766832B793B6971C21BDE6FEF741285AF8B9ADC16A29DBDDE54AD7C450465

SSDEEP:

98304:3ah9Ip6KTKNYDDt53l5gbVSjIr7ZMKy65YXbBVlWRplU9aM4zSqNC0JyO3uHmHE4:jztwkWR0P/acEIB3hOWo8W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • zapret.exe (PID: 5472)

    • Application launched itself

      • zapret.exe (PID: 5472)

    • The process drops C-runtime libraries

      • zapret.exe (PID: 5472)

    • Process drops python dynamic module

      • zapret.exe (PID: 5472)

    • Process drops legitimate windows executable

      • zapret.exe (PID: 5472)

    • Loads Python modules

      • zapret.exe (PID: 2440)

    • Starts CMD.EXE for commands execution

      • zapret.exe (PID: 2440)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3848)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 1468)
      • cmd.exe (PID: 3820)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1064)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 5992)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 3172)

    • Checks for external IP

      • zapret.exe (PID: 2440)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • zapret.exe (PID: 2440)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 3144)

  • INFO

    • Create files in a temporary directory

      • zapret.exe (PID: 5472)
      • zapret.exe (PID: 2440)

    • Reads the computer name

      • zapret.exe (PID: 5472)
      • zapret.exe (PID: 2440)

    • Checks supported languages

      • zapret.exe (PID: 5472)
      • zapret.exe (PID: 2440)

    • Reads the machine GUID from the registry

      • zapret.exe (PID: 2440)

    • Checks proxy server information

      • zapret.exe (PID: 2440)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1064)
      • WMIC.exe (PID: 1448)
      • WMIC.exe (PID: 3140)
      • WMIC.exe (PID: 848)
      • WMIC.exe (PID: 5628)
      • WMIC.exe (PID: 4024)

    • PyInstaller has been detected (YARA)

      • zapret.exe (PID: 5472)
      • zapret.exe (PID: 2440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(2440) zapret.exe
Discord-Webhook-Tokens (1)1309876516099854346/NlmIv0BUlP0y3DODPLAmrEm_t2a4-__dOn_mRm2KytzcqpDVCOfCFafejFHgbPj1Dc5y
Discord-Info-Links
1309876516099854346/NlmIv0BUlP0y3DODPLAmrEm_t2a4-__dOn_mRm2KytzcqpDVCOfCFafejFHgbPj1Dc5y
Get Webhook Infohttps://discord.com/api/webhooks/1309876516099854346/NlmIv0BUlP0y3DODPLAmrEm_t2a4-__dOn_mRm2KytzcqpDVCOfCFafejFHgbPj1Dc5y
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:23 13:54:03+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.39
CodeSize: 96256
InitializedDataSize: 208384
UninitializedDataSize: 61440
EntryPoint: 0x10f6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
20
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zapret.exe zapret.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
848wmic cpu get serialnumberC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1064wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1448wmic baseboard get manufacturerC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1468C:\WINDOWS\system32\cmd.exe /c "wmic baseboard get manufacturer"C:\Windows\System32\cmd.exezapret.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2440"C:\Users\admin\Desktop\zapret.exe" C:\Users\admin\Desktop\zapret.exe
zapret.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\zapret.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
ims-api
(PID) Process(2440) zapret.exe
Discord-Webhook-Tokens (1)1309876516099854346/NlmIv0BUlP0y3DODPLAmrEm_t2a4-__dOn_mRm2KytzcqpDVCOfCFafejFHgbPj1Dc5y
Discord-Info-Links
1309876516099854346/NlmIv0BUlP0y3DODPLAmrEm_t2a4-__dOn_mRm2KytzcqpDVCOfCFafejFHgbPj1Dc5y
Get Webhook Infohttps://discord.com/api/webhooks/1309876516099854346/NlmIv0BUlP0y3DODPLAmrEm_t2a4-__dOn_mRm2KytzcqpDVCOfCFafejFHgbPj1Dc5y
2796\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3140wmic diskdrive get serialnumberC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
3144C:\WINDOWS\system32\cmd.exe /c "wmic diskdrive get serialnumber"C:\Windows\System32\cmd.exezapret.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3172C:\WINDOWS\system32\cmd.exe /c "wmic bios get serialnumber"C:\Windows\System32\cmd.exezapret.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 631
Read events
1 631
Write events
0
Delete events
0

Modification events

No data
Executable files
33
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\_bz2.pydexecutable
MD5:4FDF3BC5548F98264CCEDCA2E400E8EF
SHA256:CB2B8853CCF149B0B175769CB8ED6E2F9C2CBEC0AF3D8835C43570FD91DA1B4F
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\_queue.pydexecutable
MD5:1B1A7CB8FD95C0D9741462DE11ABD43D
SHA256:3C907316271B15935FF400B65D24F229FEB980A5BE9CB4AD9F79F210FF0B884C
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\_asyncio.pydexecutable
MD5:CCC47CD433F0ED282A5AA14C8513EFCA
SHA256:4D6AA25D76A9739C6B6DF1D36448BD8CAF9B758FDF77311B8D57600C813B0C74
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\_lzma.pydexecutable
MD5:CE4A35FC25D50497E8BE0E75FF8D61B3
SHA256:E352C77F7810EA83617ED096626AC9C3D628726DEF47551F90741D201C1F3B3D
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\VCRUNTIME140_1.dllexecutable
MD5:37C372DA4B1ADB96DC995ECB7E68E465
SHA256:1554B5802968FDB2705A67CBB61585E9560B9E429D043A5AA742EF3C9BBFB6BF
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\_multiprocessing.pydexecutable
MD5:28FFC21F17ED65718F3B85810477EEBE
SHA256:B3D17B695A00E55309F892F506EB1D6CBC781271F6B08F54D4D73D5359E7F2A5
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\_socket.pydexecutable
MD5:439B4D756CDE64FBA441E640DF56DD60
SHA256:ACB377FD6967B2CE819601C7D6A102D30AF570EAEE9E312E383F34AECD5DF142
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\_overlapped.pydexecutable
MD5:77F3FA03D5C49F3D21A3011CAAE70C6D
SHA256:7A92DB1B4F65473E44B54CC71BD2A174DB86EBB1FBE642A88E7A7E10B839A2EA
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\_ssl.pydexecutable
MD5:5E2EE0A0277FFE2BD854ABB898310D43
SHA256:75AE15B70EAA1950CF259FED95ADE499D7C6DFEFFFDF4C3292C46BD24DA25902
5472zapret.exeC:\Users\admin\AppData\Local\Temp\_MEI54722\VCRUNTIME140.dllexecutable
MD5:A87575E7CF8967E481241F13940EE4F7
SHA256:DED5ADAA94341E6C62AEA03845762591666381DCA30EB7C17261DD154121B83E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
8
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
244
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
648
RUXIMICS.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
244
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
648
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
244
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
648
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2440
zapret.exe
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
shared
244
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
648
RUXIMICS.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
244
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.43
  • 2.16.164.24
  • 2.16.164.40
  • 2.16.164.51
  • 2.16.164.34
  • 2.16.164.97
  • 2.16.164.114
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
shared
self.events.data.microsoft.com
  • 20.42.73.24
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2440
zapret.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zapret.exe