ce6ff5a8f86ff4ddd08cfcdf94653f9d649d5508724b8abcb7ef84067ec3535c

Analysis

max time kernel
34s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner.exe
Size

716KB
MD5

e0c2bf1961a451ce4668800d460e4d99
SHA1

f7b310c9c887cc19bda72224fbe634e7b41e560b
SHA256

ce6ff5a8f86ff4ddd08cfcdf94653f9d649d5508724b8abcb7ef84067ec3535c
SHA512

d253927ecbd81bf8113cb97cf5d992ba576fdf96a093abb318b88dcd6ed5e6e2081c19104b2b6b064e77062abb43779383f3efcff4ddf1017fe9267d0545c3cb
SSDEEP

12288:jNUm1sUCrLN8qJfgai+V+VCp641oHu2/hSMXlnphqYt:hEU0LGGPihCpb1b2/hSMXlph

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1040	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
320	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	1088	WerFault.exe	6

Kills process with taskkill 17 IoCs

evasion

pid	Process
1824	taskkill.exe
1396	taskkill.exe
1372	taskkill.exe
868	taskkill.exe
1684	taskkill.exe
1100	taskkill.exe
1652	taskkill.exe
956	taskkill.exe
900	taskkill.exe
1736	taskkill.exe
1956	taskkill.exe
2000	taskkill.exe
432	taskkill.exe
1328	taskkill.exe
1492	taskkill.exe
328	taskkill.exe
1764	taskkill.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 856	1088	Cleaner.exe	29
PID 1088 wrote to memory of 856	1088	Cleaner.exe	29
PID 1088 wrote to memory of 856	1088	Cleaner.exe	29
PID 856 wrote to memory of 900	856	cmd.exe	30
PID 856 wrote to memory of 900	856	cmd.exe	30
PID 856 wrote to memory of 900	856	cmd.exe	30
PID 1088 wrote to memory of 1704	1088	Cleaner.exe	32
PID 1088 wrote to memory of 1704	1088	Cleaner.exe	32
PID 1088 wrote to memory of 1704	1088	Cleaner.exe	32
PID 1704 wrote to memory of 2000	1704	cmd.exe	33
PID 1704 wrote to memory of 2000	1704	cmd.exe	33
PID 1704 wrote to memory of 2000	1704	cmd.exe	33
PID 1088 wrote to memory of 1884	1088	Cleaner.exe	34
PID 1088 wrote to memory of 1884	1088	Cleaner.exe	34
PID 1088 wrote to memory of 1884	1088	Cleaner.exe	34
PID 1884 wrote to memory of 1764	1884	cmd.exe	35
PID 1884 wrote to memory of 1764	1884	cmd.exe	35
PID 1884 wrote to memory of 1764	1884	cmd.exe	35
PID 1088 wrote to memory of 1180	1088	Cleaner.exe	36
PID 1088 wrote to memory of 1180	1088	Cleaner.exe	36
PID 1088 wrote to memory of 1180	1088	Cleaner.exe	36
PID 1180 wrote to memory of 1684	1180	cmd.exe	37
PID 1180 wrote to memory of 1684	1180	cmd.exe	37
PID 1180 wrote to memory of 1684	1180	cmd.exe	37
PID 1088 wrote to memory of 832	1088	Cleaner.exe	38
PID 1088 wrote to memory of 832	1088	Cleaner.exe	38
PID 1088 wrote to memory of 832	1088	Cleaner.exe	38
PID 832 wrote to memory of 1736	832	cmd.exe	39
PID 832 wrote to memory of 1736	832	cmd.exe	39
PID 832 wrote to memory of 1736	832	cmd.exe	39
PID 1088 wrote to memory of 780	1088	Cleaner.exe	40
PID 1088 wrote to memory of 780	1088	Cleaner.exe	40
PID 1088 wrote to memory of 780	1088	Cleaner.exe	40
PID 780 wrote to memory of 868	780	cmd.exe	41
PID 780 wrote to memory of 868	780	cmd.exe	41
PID 780 wrote to memory of 868	780	cmd.exe	41
PID 1088 wrote to memory of 1912	1088	Cleaner.exe	42
PID 1088 wrote to memory of 1912	1088	Cleaner.exe	42
PID 1088 wrote to memory of 1912	1088	Cleaner.exe	42
PID 1912 wrote to memory of 1824	1912	cmd.exe	43
PID 1912 wrote to memory of 1824	1912	cmd.exe	43
PID 1912 wrote to memory of 1824	1912	cmd.exe	43
PID 1088 wrote to memory of 588	1088	Cleaner.exe	44
PID 1088 wrote to memory of 588	1088	Cleaner.exe	44
PID 1088 wrote to memory of 588	1088	Cleaner.exe	44
PID 588 wrote to memory of 1100	588	cmd.exe	45
PID 588 wrote to memory of 1100	588	cmd.exe	45
PID 588 wrote to memory of 1100	588	cmd.exe	45
PID 1088 wrote to memory of 1292	1088	Cleaner.exe	46
PID 1088 wrote to memory of 1292	1088	Cleaner.exe	46
PID 1088 wrote to memory of 1292	1088	Cleaner.exe	46
PID 1292 wrote to memory of 1652	1292	cmd.exe	47
PID 1292 wrote to memory of 1652	1292	cmd.exe	47
PID 1292 wrote to memory of 1652	1292	cmd.exe	47
PID 1088 wrote to memory of 1540	1088	Cleaner.exe	48
PID 1088 wrote to memory of 1540	1088	Cleaner.exe	48
PID 1088 wrote to memory of 1540	1088	Cleaner.exe	48
PID 1540 wrote to memory of 1956	1540	cmd.exe	49
PID 1540 wrote to memory of 1956	1540	cmd.exe	49
PID 1540 wrote to memory of 1956	1540	cmd.exe	49
PID 1088 wrote to memory of 1388	1088	Cleaner.exe	50
PID 1088 wrote to memory of 1388	1088	Cleaner.exe	50
PID 1088 wrote to memory of 1388	1088	Cleaner.exe	50
PID 1388 wrote to memory of 432	1388	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 reset
    3⤵
    PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steamservice.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steamservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steamwebhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steamwebhelper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im geegee.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im geegee.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im RUST.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im RUST.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im discord.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im discord.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im igoproxy64.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im igoproxy64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im igoproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im igoproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginCrashReporter.exe
  2⤵
  PID:112
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginCrashReporter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginWebHelper.exe
  2⤵
  PID:2012
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginWebHelper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe
  2⤵
  PID:1924
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
  2⤵
  PID:1212
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  PID:1180
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
  2⤵
  PID:832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset
  2⤵
  PID:780
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    PID:584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset catalog
  2⤵
  PID:1572
- - C:\Windows\system32\netsh.exe
    netsh winsock reset catalog
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ip reset
  2⤵
  PID:1100
- - C:\Windows\system32\netsh.exe
    netsh int ip reset
    3⤵
    PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall reset
  2⤵
  PID:1292
- - C:\Windows\system32\netsh.exe
    netsh advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int reset all
  2⤵
  PID:1016
- - C:\Windows\system32\netsh.exe
    netsh int reset all
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv4 reset
  2⤵
  PID:964
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 reset
    3⤵
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv6 reset
  2⤵
  PID:856
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1088 -s 48
  2⤵
  - Program crash
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-92-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads