Overview

overview

9

Static

static

7

Meta Unban...er.exe

windows7-x64

9

Meta Unban...er.exe

windows10-2004-x64

9

Meta Unban...EL.exe

windows7-x64

9

Meta Unban...EL.exe

windows10-2004-x64

9

Meta Unban...er.exe

windows7-x64

9

Meta Unban...er.exe

windows10-2004-x64

9

Meta Unban...er.exe

windows7-x64

8

Meta Unban...er.exe

windows10-2004-x64

8

Meta Unban...er.exe

windows7-x64

9

Meta Unban...er.exe

windows10-2004-x64

9

Meta Unban...er.bat

windows7-x64

8

Meta Unban...er.bat

windows10-2004-x64

8

Meta Unban...er.bat

windows7-x64

1

Meta Unban...er.bat

windows10-2004-x64

1

Meta Unban...er.exe

windows7-x64

7

Meta Unban...er.exe

windows10-2004-x64

7

Meta Unban...ol.bat

windows7-x64

8

Meta Unban...ol.bat

windows10-2004-x64

8

Meta Unban...an.exe

windows7-x64

1

Meta Unban...an.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Meta Unban/Cleaners/full deep cleaner by nigga mhatt lol.bat

  • Size

    902KB

  • MD5

    602ac0bd731b2615933dde1442e96ff7

  • SHA1

    586be9b5bb086aa301eea7df5ee998390756b912

  • SHA256

    97c781dfaa813232a8d13f7dcdfd1490f355ab85823b2cd73b9dd259d3a1ad07

  • SHA512

    d5cee12b3c99cae442808c463636faa0f96cdae24d6caff13fd5e27a40f74ce58cd15f43430d5ebd15d968588d491dee17bb31b3f7c19ed7d55e2882a25d30eb

  • SSDEEP

    3072:kOW9mafKzoz3g8gzRnvplYSc5mzozEzoz6zozn:5ykyuykyn

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 40 IoCs
    evasion
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\full deep cleaner by nigga mhatt lol.bat"
    1⤵
    • Deletes itself
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:520
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im UnrealCEFSubProcess.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1772
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im CEFProcess.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1332
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1240
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BEServices.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BattleEye.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1432
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im smartscreen.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:988
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im smartscreen.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1900
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:360
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im DNF.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:896
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im CrossProxy.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1884
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenSafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:748
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_2.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1284
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tencentdl.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenioDL.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im uishell.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BackgroundDownloader.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1720
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im conime.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im QQDL.EXE
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1484
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im qqlogin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchina.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchinatest.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1240
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im txplatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1556
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TXPlatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1432
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginWebHelperService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:988
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Origin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1900
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginClientService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:360
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginER.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginThinSetupInternal.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:896
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginLegacyCLI.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Agent.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1884
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Client.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:748
    • C:\Windows\system32\sc.exe
      Sc stop EasyAntiCheat
      2⤵
      • Launches sc.exe
      PID:1284
    • C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {10724-14180-31225-6636} /f
      2⤵
      • Modifies registry key
      PID:268
    • C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {18484-871-28250-19403} /f
      2⤵
      • Modifies registry key
      PID:556
    • C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 15560-24919-4809-20485 /f
      2⤵
      • Modifies registry key
      PID:984
    • C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 22216-11659-13518-22093 /f
      2⤵
      • Modifies registry key
      PID:1392
    • C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
      2⤵
        PID:1388
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
        2⤵
          PID:876
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
          2⤵
            PID:1160
          • C:\Windows\system32\reg.exe
            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
            2⤵
              PID:584
            • C:\Windows\system32\reg.exe
              reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
              2⤵
                PID:1048
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
                2⤵
                  PID:1868

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Modify Existing Service

              1
              T1031

              Privilege Escalation

              Defense Evasion

              Impair Defenses

              1
              T1562

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Service Stop

              1
              T1489

              Replay Monitor

              Loading Replay Monitor...

              Downloads