f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
31s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/full deep cleaner by nigga mhatt lol.bat
Size

902KB
MD5

602ac0bd731b2615933dde1442e96ff7
SHA1

586be9b5bb086aa301eea7df5ee998390756b912
SHA256

97c781dfaa813232a8d13f7dcdfd1490f355ab85823b2cd73b9dd259d3a1ad07
SHA512

d5cee12b3c99cae442808c463636faa0f96cdae24d6caff13fd5e27a40f74ce58cd15f43430d5ebd15d968588d491dee17bb31b3f7c19ed7d55e2882a25d30eb
SSDEEP

3072:kOW9mafKzoz3g8gzRnvplYSc5mzozEzoz6zozn:5ykyuykyn

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1840 sc.exe

pid	process
1840	sc.exe

Kills process with taskkill 40 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
64	taskkill.exe
3728	taskkill.exe
3720	taskkill.exe
2420	taskkill.exe
3592	taskkill.exe
4660	taskkill.exe
2592	taskkill.exe
3824	taskkill.exe
1064	taskkill.exe
5112	taskkill.exe
2228	taskkill.exe
2056	taskkill.exe
3436	taskkill.exe
1388	taskkill.exe
3896	taskkill.exe
900	taskkill.exe
4628	taskkill.exe
452	taskkill.exe
2044	taskkill.exe
4672	taskkill.exe
3648	taskkill.exe
3860	taskkill.exe
380	taskkill.exe
4756	taskkill.exe
1136	taskkill.exe
424	taskkill.exe
3744	taskkill.exe
3384	taskkill.exe
224	taskkill.exe
552	taskkill.exe
2008	taskkill.exe
4244	taskkill.exe
668	taskkill.exe
4640	taskkill.exe
4704	taskkill.exe
1952	taskkill.exe
1992	taskkill.exe
736	taskkill.exe
3928	taskkill.exe
560	taskkill.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

4184 reg.exe
876 reg.exe
1432 reg.exe
4712 reg.exe

pid	process
4184	reg.exe
876	reg.exe
1432	reg.exe
4712	reg.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	3384	taskkill.exe
Token: SeDebugPrivilege	64	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	3744	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	452	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 5072 wrote to memory of 4244	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4244	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3648	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3648	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 1992	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 1992	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 1388	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 1388	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3384	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3384	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 64	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 64	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 736	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 736	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3896	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3896	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 224	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 224	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3592	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3592	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3860	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3860	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 552	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 552	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3928	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3928	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 380	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 380	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 2008	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 2008	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 668	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 668	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 1064	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 1064	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4756	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4756	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 900	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 900	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 1136	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 1136	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4660	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4660	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 424	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 424	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 560	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 560	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4628	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4628	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3728	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3728	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4640	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 4640	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 5112	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 5112	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3436	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3436	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3744	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3744	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 2592	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 2592	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 452	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 452	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3720	5072	cmd.exe	taskkill.exe
PID 5072 wrote to memory of 3720	5072	cmd.exe	taskkill.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\full deep cleaner by nigga mhatt lol.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\system32\taskkill.exe
taskkill /f /im dnf.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\taskkill.exe
taskkill /f /im DNF.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\taskkill.exe
taskkill /f /im CrossProxy.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\taskkill.exe
taskkill /f /im tensafe_1.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\system32\taskkill.exe
taskkill /f /im TenSafe_1.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\taskkill.exe
taskkill /f /im tensafe_2.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\taskkill.exe
taskkill /f /im tencentdl.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\taskkill.exe
taskkill /f /im TenioDL.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\system32\taskkill.exe
taskkill /f /im uishell.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\taskkill.exe
taskkill /f /im BackgroundDownloader.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\taskkill.exe
taskkill /f /im conime.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\taskkill.exe
taskkill /f /im QQDL.EXE
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\taskkill.exe
taskkill /f /im qqlogin.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\taskkill.exe
taskkill /f /im dnfchina.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\system32\taskkill.exe
taskkill /f /im dnfchinatest.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\taskkill.exe
taskkill /f /im dnf.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\taskkill.exe
taskkill /f /im txplatform.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\taskkill.exe
taskkill /f /im TXPlatform.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\taskkill.exe
taskkill /f /im OriginWebHelperService.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\taskkill.exe
taskkill /f /im Origin.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\taskkill.exe
taskkill /f /im OriginClientService.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\taskkill.exe
taskkill /f /im OriginER.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\taskkill.exe
taskkill /f /im OriginThinSetupInternal.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\taskkill.exe
taskkill /f /im OriginLegacyCLI.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\taskkill.exe
taskkill /f /im Agent.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\taskkill.exe
taskkill /f /im Client.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
2⤵
- Launches sc.exe
PID:1840

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {10737-24406-4377-4585} /f
2⤵
- Modifies registry key
PID:4184

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 16070-326-4217-20661 /f
2⤵
- Modifies registry key
PID:876

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {26974-16578-7932-7694} /f
2⤵
- Modifies registry key
PID:1432

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 12467-12309-3983-25909 /f
2⤵
- Modifies registry key
PID:4712

C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
2⤵
PID:2176

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
2⤵
PID:1900

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
2⤵
PID:2212

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
2⤵
PID:2820

C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
2⤵
PID:4416

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
2⤵
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads