ce6ff5a8f86ff4ddd08cfcdf94653f9d649d5508724b8abcb7ef84067ec3535c

Analysis

max time kernel
47s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner.exe
Size

716KB
MD5

e0c2bf1961a451ce4668800d460e4d99
SHA1

f7b310c9c887cc19bda72224fbe634e7b41e560b
SHA256

ce6ff5a8f86ff4ddd08cfcdf94653f9d649d5508724b8abcb7ef84067ec3535c
SHA512

d253927ecbd81bf8113cb97cf5d992ba576fdf96a093abb318b88dcd6ed5e6e2081c19104b2b6b064e77062abb43779383f3efcff4ddf1017fe9267d0545c3cb
SSDEEP

12288:jNUm1sUCrLN8qJfgai+V+VCp641oHu2/hSMXlnphqYt:hEU0LGGPihCpb1b2/hSMXlph

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4940	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5012	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
740	2612	WerFault.exe	79

Kills process with taskkill 17 IoCs

evasion

pid	Process
320	taskkill.exe
2496	taskkill.exe
4964	taskkill.exe
376	taskkill.exe
4440	taskkill.exe
808	taskkill.exe
4436	taskkill.exe
4584	taskkill.exe
4612	taskkill.exe
3740	taskkill.exe
4708	taskkill.exe
1872	taskkill.exe
4260	taskkill.exe
2124	taskkill.exe
1484	taskkill.exe
4764	taskkill.exe
1472	taskkill.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	808	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 220	2612	Cleaner.exe	81
PID 2612 wrote to memory of 220	2612	Cleaner.exe	81
PID 220 wrote to memory of 320	220	cmd.exe	82
PID 220 wrote to memory of 320	220	cmd.exe	82
PID 2612 wrote to memory of 4468	2612	Cleaner.exe	83
PID 2612 wrote to memory of 4468	2612	Cleaner.exe	83
PID 4468 wrote to memory of 3740	4468	cmd.exe	84
PID 4468 wrote to memory of 3740	4468	cmd.exe	84
PID 2612 wrote to memory of 3808	2612	Cleaner.exe	85
PID 2612 wrote to memory of 3808	2612	Cleaner.exe	85
PID 3808 wrote to memory of 4708	3808	cmd.exe	86
PID 3808 wrote to memory of 4708	3808	cmd.exe	86
PID 2612 wrote to memory of 4716	2612	Cleaner.exe	87
PID 2612 wrote to memory of 4716	2612	Cleaner.exe	87
PID 4716 wrote to memory of 1872	4716	cmd.exe	88
PID 4716 wrote to memory of 1872	4716	cmd.exe	88
PID 2612 wrote to memory of 3936	2612	Cleaner.exe	89
PID 2612 wrote to memory of 3936	2612	Cleaner.exe	89
PID 3936 wrote to memory of 4260	3936	cmd.exe	90
PID 3936 wrote to memory of 4260	3936	cmd.exe	90
PID 2612 wrote to memory of 612	2612	Cleaner.exe	92
PID 2612 wrote to memory of 612	2612	Cleaner.exe	92
PID 612 wrote to memory of 2496	612	cmd.exe	91
PID 612 wrote to memory of 2496	612	cmd.exe	91
PID 2612 wrote to memory of 3664	2612	Cleaner.exe	93
PID 2612 wrote to memory of 3664	2612	Cleaner.exe	93
PID 3664 wrote to memory of 808	3664	cmd.exe	94
PID 3664 wrote to memory of 808	3664	cmd.exe	94
PID 2612 wrote to memory of 2148	2612	Cleaner.exe	95
PID 2612 wrote to memory of 2148	2612	Cleaner.exe	95
PID 2148 wrote to memory of 2124	2148	cmd.exe	96
PID 2148 wrote to memory of 2124	2148	cmd.exe	96
PID 2612 wrote to memory of 3612	2612	Cleaner.exe	97
PID 2612 wrote to memory of 3612	2612	Cleaner.exe	97
PID 3612 wrote to memory of 4436	3612	cmd.exe	98
PID 3612 wrote to memory of 4436	3612	cmd.exe	98
PID 2612 wrote to memory of 4240	2612	Cleaner.exe	99
PID 2612 wrote to memory of 4240	2612	Cleaner.exe	99
PID 4240 wrote to memory of 4964	4240	cmd.exe	100
PID 4240 wrote to memory of 4964	4240	cmd.exe	100
PID 2612 wrote to memory of 5016	2612	Cleaner.exe	101
PID 2612 wrote to memory of 5016	2612	Cleaner.exe	101
PID 5016 wrote to memory of 376	5016	cmd.exe	102
PID 5016 wrote to memory of 376	5016	cmd.exe	102
PID 2612 wrote to memory of 1236	2612	Cleaner.exe	103
PID 2612 wrote to memory of 1236	2612	Cleaner.exe	103
PID 1236 wrote to memory of 4584	1236	cmd.exe	104
PID 1236 wrote to memory of 4584	1236	cmd.exe	104
PID 2612 wrote to memory of 1936	2612	Cleaner.exe	105
PID 2612 wrote to memory of 1936	2612	Cleaner.exe	105
PID 1936 wrote to memory of 1484	1936	cmd.exe	106
PID 1936 wrote to memory of 1484	1936	cmd.exe	106
PID 2612 wrote to memory of 4380	2612	Cleaner.exe	107
PID 2612 wrote to memory of 4380	2612	Cleaner.exe	107
PID 4380 wrote to memory of 4764	4380	cmd.exe	108
PID 4380 wrote to memory of 4764	4380	cmd.exe	108
PID 2612 wrote to memory of 984	2612	Cleaner.exe	109
PID 2612 wrote to memory of 984	2612	Cleaner.exe	109
PID 984 wrote to memory of 5012	984	cmd.exe	110
PID 984 wrote to memory of 5012	984	cmd.exe	110
PID 2612 wrote to memory of 2232	2612	Cleaner.exe	111
PID 2612 wrote to memory of 2232	2612	Cleaner.exe	111
PID 2232 wrote to memory of 1472	2232	cmd.exe	112
PID 2232 wrote to memory of 1472	2232	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steamservice.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steamservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steamwebhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steamwebhelper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im geegee.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im geegee.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im RUST.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im RUST.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im discord.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im igoproxy64.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im igoproxy64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im igoproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im igoproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginCrashReporter.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginCrashReporter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginWebHelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginWebHelper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  PID:1572
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
  2⤵
  PID:5008
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset
  2⤵
  PID:5020
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset catalog
  2⤵
  PID:1128
- - C:\Windows\system32\netsh.exe
    netsh winsock reset catalog
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ip reset
  2⤵
  PID:4256
- - C:\Windows\system32\netsh.exe
    netsh int ip reset
    3⤵
    PID:1308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall reset
  2⤵
  PID:4992
- - C:\Windows\system32\netsh.exe
    netsh advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int reset all
  2⤵
  PID:2316
- - C:\Windows\system32\netsh.exe
    netsh int reset all
    3⤵
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv4 reset
  2⤵
  PID:1712
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 reset
    3⤵
    PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv6 reset
  2⤵
  PID:2336
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 reset
    3⤵
    PID:2996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2612 -s 236
  2⤵
  - Program crash
  PID:740

C:\Windows\system32\taskkill.exe
taskkill /f /im discord.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 2612 -ip 2612
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads