42ac97d393388a95d34957ced75e0df53428d7ddf7d1f809900bcad7654855ae

Analysis

max time kernel
42s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asd.bat
Size

141KB
MD5

e0b4f0f0fd63c2df4b95d2eebc372e18
SHA1

e46601302cd08640b39dd13499e2e045cef0fc4d
SHA256

42ac97d393388a95d34957ced75e0df53428d7ddf7d1f809900bcad7654855ae
SHA512

0a13176bef40722872592916928cb8b9528d5eef05ecf5a4a7466f0b3f81ce2f0c3d87f41f28fed6acda9720918463e88db11f686a03367d9d0f3e1cbffb6583
SSDEEP

768:t0TvQH4QG0pd6pjLqLzlDgaboPTdzcIuQBCnAa8oP6ZPUPEP0VLGLoLWL0LCfWJm:ELqLZy2Q8nQ2LGLoLWL0LskmNjak1R

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 5 IoCs

evasion

pid	Process
3468	taskkill.exe
4316	taskkill.exe
4728	taskkill.exe
2044	taskkill.exe
1348	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	reg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	4316	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 3468	4984	cmd.exe	82
PID 4984 wrote to memory of 3468	4984	cmd.exe	82
PID 4984 wrote to memory of 4316	4984	cmd.exe	83
PID 4984 wrote to memory of 4316	4984	cmd.exe	83
PID 4984 wrote to memory of 4728	4984	cmd.exe	84
PID 4984 wrote to memory of 4728	4984	cmd.exe	84
PID 4984 wrote to memory of 2044	4984	cmd.exe	85
PID 4984 wrote to memory of 2044	4984	cmd.exe	85
PID 4984 wrote to memory of 1348	4984	cmd.exe	86
PID 4984 wrote to memory of 1348	4984	cmd.exe	86
PID 4984 wrote to memory of 4660	4984	cmd.exe	95
PID 4984 wrote to memory of 4660	4984	cmd.exe	95
PID 4984 wrote to memory of 1728	4984	cmd.exe	96
PID 4984 wrote to memory of 1728	4984	cmd.exe	96
PID 4984 wrote to memory of 524	4984	cmd.exe	97
PID 4984 wrote to memory of 524	4984	cmd.exe	97
PID 4984 wrote to memory of 692	4984	cmd.exe	98
PID 4984 wrote to memory of 692	4984	cmd.exe	98
PID 4984 wrote to memory of 3224	4984	cmd.exe	99
PID 4984 wrote to memory of 3224	4984	cmd.exe	99
PID 4984 wrote to memory of 828	4984	cmd.exe	100
PID 4984 wrote to memory of 828	4984	cmd.exe	100
PID 4984 wrote to memory of 4352	4984	cmd.exe	101
PID 4984 wrote to memory of 4352	4984	cmd.exe	101
PID 4984 wrote to memory of 4024	4984	cmd.exe	102
PID 4984 wrote to memory of 4024	4984	cmd.exe	102
PID 4984 wrote to memory of 4236	4984	cmd.exe	103
PID 4984 wrote to memory of 4236	4984	cmd.exe	103
PID 4984 wrote to memory of 4592	4984	cmd.exe	104
PID 4984 wrote to memory of 4592	4984	cmd.exe	104
PID 4984 wrote to memory of 1252	4984	cmd.exe	105
PID 4984 wrote to memory of 1252	4984	cmd.exe	105
PID 4984 wrote to memory of 3452	4984	cmd.exe	106
PID 4984 wrote to memory of 3452	4984	cmd.exe	106
PID 4984 wrote to memory of 2148	4984	cmd.exe	107
PID 4984 wrote to memory of 2148	4984	cmd.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\asd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f
  2⤵
  - Modifies registry class
  PID:4660
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f
  2⤵
  PID:1728
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f
  2⤵
  - Modifies registry class
  PID:524
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags" /f
  2⤵
  PID:692
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU" /f
  2⤵
  PID:3224
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /f
  2⤵
  PID:828
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /f
  2⤵
  PID:4352
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /f
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /f
  2⤵
  PID:4236
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /f
  2⤵
  PID:4592
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /f
  2⤵
  PID:1252
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /f
  2⤵
  PID:3452
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" /f
  2⤵
  PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-139-0x0000000000000000-mapping.dmp

Download
memory/692-140-0x0000000000000000-mapping.dmp

Download
memory/828-142-0x0000000000000000-mapping.dmp

Download
memory/1252-147-0x0000000000000000-mapping.dmp

Download
memory/1348-136-0x0000000000000000-mapping.dmp

Download
memory/1728-138-0x0000000000000000-mapping.dmp

Download
memory/2044-135-0x0000000000000000-mapping.dmp

Download
memory/2148-149-0x0000000000000000-mapping.dmp

Download
memory/3224-141-0x0000000000000000-mapping.dmp

Download
memory/3452-148-0x0000000000000000-mapping.dmp

Download
memory/3468-132-0x0000000000000000-mapping.dmp

Download
memory/4024-144-0x0000000000000000-mapping.dmp

Download
memory/4236-145-0x0000000000000000-mapping.dmp

Download
memory/4316-133-0x0000000000000000-mapping.dmp

Download
memory/4352-143-0x0000000000000000-mapping.dmp

Download
memory/4592-146-0x0000000000000000-mapping.dmp

Download
memory/4660-137-0x0000000000000000-mapping.dmp

Download
memory/4728-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads