2ba9d1f00b6c9eae7b5328afd6bd6e1561e4d6a831209f94d1f631ebffa72d9c

General

Target

cleaner_fixed.exe
Size

6.1MB
MD5

4a1635b43bc46617b5a2e4916bfd2fa9
SHA1

3bb3b336391251d446775889b5da375336f6305b
SHA256

2ba9d1f00b6c9eae7b5328afd6bd6e1561e4d6a831209f94d1f631ebffa72d9c
SHA512

f76ef411628ffdc37d769b0383317911c002dc5eac57e32e4cd5f6db8da7df5c38aa0c0a4d14d1af383bb58f2f264cf9b55a9e4002c784209ebabb5c6cd37ce2
SSDEEP

98304:ozmsCg59qryH9HVM+hPapWp4XNLHMLRXJGDxP0QlGNdtF8pJ:oSseyd1M+h8WpWLsLBJGvYdQ

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2012-60-0x000000013FB00000-0x00000001405DE000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cleaner_fixed.exe

pid process

2012 cleaner_fixed.exe

pid	process
2012	cleaner_fixed.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1240	taskkill.exe
1932	taskkill.exe
1352	taskkill.exe
524	taskkill.exe
280	taskkill.exe
1644	taskkill.exe
1384	taskkill.exe
288	taskkill.exe
1620	taskkill.exe
1088	taskkill.exe
1912	taskkill.exe
1748	taskkill.exe
1868	taskkill.exe
2000	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cleaner_fixed.exe

pid process

2012 cleaner_fixed.exe

pid	process
2012	cleaner_fixed.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeDebugPrivilege	280	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cleaner_fixed.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2012 wrote to memory of 1860	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1860	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1860	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1496	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1496	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1496	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1492	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1492	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1492	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1324	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1324	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1324	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 596	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 596	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 596	2012	cleaner_fixed.exe	cmd.exe
PID 596 wrote to memory of 524	596	cmd.exe	taskkill.exe
PID 596 wrote to memory of 524	596	cmd.exe	taskkill.exe
PID 596 wrote to memory of 524	596	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1104	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1104	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1104	2012	cleaner_fixed.exe	cmd.exe
PID 1104 wrote to memory of 280	1104	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 280	1104	cmd.exe	taskkill.exe
PID 1104 wrote to memory of 280	1104	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 664	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 664	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 664	2012	cleaner_fixed.exe	cmd.exe
PID 664 wrote to memory of 1240	664	cmd.exe	taskkill.exe
PID 664 wrote to memory of 1240	664	cmd.exe	taskkill.exe
PID 664 wrote to memory of 1240	664	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1780	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1780	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1780	2012	cleaner_fixed.exe	cmd.exe
PID 1780 wrote to memory of 1748	1780	cmd.exe	taskkill.exe
PID 1780 wrote to memory of 1748	1780	cmd.exe	taskkill.exe
PID 1780 wrote to memory of 1748	1780	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1548	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1548	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1548	2012	cleaner_fixed.exe	cmd.exe
PID 1548 wrote to memory of 1384	1548	cmd.exe	taskkill.exe
PID 1548 wrote to memory of 1384	1548	cmd.exe	taskkill.exe
PID 1548 wrote to memory of 1384	1548	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1652	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1652	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1652	2012	cleaner_fixed.exe	cmd.exe
PID 1652 wrote to memory of 1868	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 1868	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 1868	1652	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1692	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1692	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1692	2012	cleaner_fixed.exe	cmd.exe
PID 1692 wrote to memory of 1644	1692	cmd.exe	taskkill.exe
PID 1692 wrote to memory of 1644	1692	cmd.exe	taskkill.exe
PID 1692 wrote to memory of 1644	1692	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1560	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1560	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1560	2012	cleaner_fixed.exe	cmd.exe
PID 1560 wrote to memory of 288	1560	cmd.exe	taskkill.exe
PID 1560 wrote to memory of 288	1560	cmd.exe	taskkill.exe
PID 1560 wrote to memory of 288	1560	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1320	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1320	2012	cleaner_fixed.exe	cmd.exe
PID 2012 wrote to memory of 1320	2012	cleaner_fixed.exe	cmd.exe
PID 1320 wrote to memory of 1932	1320	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\cleaner_fixed.exe
"C:\Users\Admin\AppData\Local\Temp\cleaner_fixed.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0b
2⤵
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:564

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1724

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1660

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1612

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-54-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

Filesize
8KB

Download
memory/2012-57-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/2012-58-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/2012-59-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/2012-60-0x000000013FB00000-0x00000001405DE000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads