f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
28s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/FortniteCleaner.bat
Size

1.5MB
MD5

2429db21a224c48fa6b17e55a6762328
SHA1

f86eb0c2de25e8970add83b66253d3f18b0994e1
SHA256

365685c1e71944bc955c6be46cc33a44099bcb0f8c625228e89445f18866b778
SHA512

0487e79a9b2b427f8c0e5bb860e78039bcf29626bd58ad8190df858fcfa130d15add3fcd350cdadaccbc1d2e13f822dab76e418029d692d2ccd972594b4c0e23
SSDEEP

49152:9TOB4ynYygOvXsMruROZyUpWvWOLZkORn:b

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1720	taskkill.exe
844	taskkill.exe
1536	taskkill.exe
664	taskkill.exe
1500	taskkill.exe
2012	taskkill.exe
1716	taskkill.exe
108	taskkill.exe
1652	taskkill.exe
1424	taskkill.exe
1436	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1120 wrote to memory of 2012	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 2012	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 2012	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1716	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1716	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1716	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1424	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1424	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1424	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1720	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1720	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1720	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1436	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1436	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1436	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 844	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 844	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 844	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1536	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1536	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1536	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 664	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 664	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 664	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 108	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 108	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 108	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1652	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1652	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1652	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1500	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1500	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1500	1120	cmd.exe	taskkill.exe
PID 1120 wrote to memory of 1936	1120	cmd.exe	cmd.exe
PID 1120 wrote to memory of 1936	1120	cmd.exe	cmd.exe
PID 1120 wrote to memory of 1936	1120	cmd.exe	cmd.exe
PID 1936 wrote to memory of 1880	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1880	1936	cmd.exe	findstr.exe
PID 1936 wrote to memory of 1880	1936	cmd.exe	findstr.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\FortniteCleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\FortniteCleaner.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\FortniteCleaner.bat"
1⤵
PID:1880

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads