ab5ac412a81f55e6fa6b35db8ab575a0171985c1f24cafae597947bc9fee8374

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2023 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UDWoof 2.1.1/DeepClean (dels some files).bat
Size

902KB
MD5

602ac0bd731b2615933dde1442e96ff7
SHA1

586be9b5bb086aa301eea7df5ee998390756b912
SHA256

97c781dfaa813232a8d13f7dcdfd1490f355ab85823b2cd73b9dd259d3a1ad07
SHA512

d5cee12b3c99cae442808c463636faa0f96cdae24d6caff13fd5e27a40f74ce58cd15f43430d5ebd15d968588d491dee17bb31b3f7c19ed7d55e2882a25d30eb
SSDEEP

3072:kOW9mafKzoz3g8gzRnvplYSc5mzozEzoz6zozn:5ykyuykyn

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4072	sc.exe

Kills process with taskkill 40 IoCs

evasion

pid	Process
4736	taskkill.exe
1836	taskkill.exe
1892	taskkill.exe
3384	taskkill.exe
2552	taskkill.exe
1880	taskkill.exe
3812	taskkill.exe
2416	taskkill.exe
2816	taskkill.exe
4324	taskkill.exe
636	taskkill.exe
4248	taskkill.exe
4316	taskkill.exe
1972	taskkill.exe
4668	taskkill.exe
780	taskkill.exe
4364	taskkill.exe
4428	taskkill.exe
2376	taskkill.exe
536	taskkill.exe
2092	taskkill.exe
4568	taskkill.exe
676	taskkill.exe
2928	taskkill.exe
4000	taskkill.exe
908	taskkill.exe
2596	taskkill.exe
1548	taskkill.exe
1048	taskkill.exe
4872	taskkill.exe
1060	taskkill.exe
1628	taskkill.exe
2024	taskkill.exe
1684	taskkill.exe
692	taskkill.exe
1320	taskkill.exe
3832	taskkill.exe
3456	taskkill.exe
3084	taskkill.exe
4344	taskkill.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3756	reg.exe
2828	reg.exe
1488	reg.exe
3640	reg.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	4316	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	3384	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	3084	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 780	1992	cmd.exe	84
PID 1992 wrote to memory of 780	1992	cmd.exe	84
PID 1992 wrote to memory of 636	1992	cmd.exe	85
PID 1992 wrote to memory of 636	1992	cmd.exe	85
PID 1992 wrote to memory of 4248	1992	cmd.exe	86
PID 1992 wrote to memory of 4248	1992	cmd.exe	86
PID 1992 wrote to memory of 2928	1992	cmd.exe	87
PID 1992 wrote to memory of 2928	1992	cmd.exe	87
PID 1992 wrote to memory of 2596	1992	cmd.exe	88
PID 1992 wrote to memory of 2596	1992	cmd.exe	88
PID 1992 wrote to memory of 1320	1992	cmd.exe	89
PID 1992 wrote to memory of 1320	1992	cmd.exe	89
PID 1992 wrote to memory of 4364	1992	cmd.exe	90
PID 1992 wrote to memory of 4364	1992	cmd.exe	90
PID 1992 wrote to memory of 4316	1992	cmd.exe	91
PID 1992 wrote to memory of 4316	1992	cmd.exe	91
PID 1992 wrote to memory of 4344	1992	cmd.exe	92
PID 1992 wrote to memory of 4344	1992	cmd.exe	92
PID 1992 wrote to memory of 4324	1992	cmd.exe	93
PID 1992 wrote to memory of 4324	1992	cmd.exe	93
PID 1992 wrote to memory of 4000	1992	cmd.exe	94
PID 1992 wrote to memory of 4000	1992	cmd.exe	94
PID 1992 wrote to memory of 4428	1992	cmd.exe	95
PID 1992 wrote to memory of 4428	1992	cmd.exe	95
PID 1992 wrote to memory of 1892	1992	cmd.exe	96
PID 1992 wrote to memory of 1892	1992	cmd.exe	96
PID 1992 wrote to memory of 4872	1992	cmd.exe	97
PID 1992 wrote to memory of 4872	1992	cmd.exe	97
PID 1992 wrote to memory of 2376	1992	cmd.exe	98
PID 1992 wrote to memory of 2376	1992	cmd.exe	98
PID 1992 wrote to memory of 3832	1992	cmd.exe	99
PID 1992 wrote to memory of 3832	1992	cmd.exe	99
PID 1992 wrote to memory of 3384	1992	cmd.exe	100
PID 1992 wrote to memory of 3384	1992	cmd.exe	100
PID 1992 wrote to memory of 1060	1992	cmd.exe	101
PID 1992 wrote to memory of 1060	1992	cmd.exe	101
PID 1992 wrote to memory of 1836	1992	cmd.exe	102
PID 1992 wrote to memory of 1836	1992	cmd.exe	102
PID 1992 wrote to memory of 1048	1992	cmd.exe	103
PID 1992 wrote to memory of 1048	1992	cmd.exe	103
PID 1992 wrote to memory of 3456	1992	cmd.exe	104
PID 1992 wrote to memory of 3456	1992	cmd.exe	104
PID 1992 wrote to memory of 908	1992	cmd.exe	105
PID 1992 wrote to memory of 908	1992	cmd.exe	105
PID 1992 wrote to memory of 3084	1992	cmd.exe	106
PID 1992 wrote to memory of 3084	1992	cmd.exe	106
PID 1992 wrote to memory of 1548	1992	cmd.exe	107
PID 1992 wrote to memory of 1548	1992	cmd.exe	107
PID 1992 wrote to memory of 1628	1992	cmd.exe	108
PID 1992 wrote to memory of 1628	1992	cmd.exe	108
PID 1992 wrote to memory of 536	1992	cmd.exe	109
PID 1992 wrote to memory of 536	1992	cmd.exe	109
PID 1992 wrote to memory of 2092	1992	cmd.exe	110
PID 1992 wrote to memory of 2092	1992	cmd.exe	110
PID 1992 wrote to memory of 4568	1992	cmd.exe	111
PID 1992 wrote to memory of 4568	1992	cmd.exe	111
PID 1992 wrote to memory of 2024	1992	cmd.exe	112
PID 1992 wrote to memory of 2024	1992	cmd.exe	112
PID 1992 wrote to memory of 2552	1992	cmd.exe	113
PID 1992 wrote to memory of 2552	1992	cmd.exe	113
PID 1992 wrote to memory of 1880	1992	cmd.exe	114
PID 1992 wrote to memory of 1880	1992	cmd.exe	114
PID 1992 wrote to memory of 1684	1992	cmd.exe	115
PID 1992 wrote to memory of 1684	1992	cmd.exe	115

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UDWoof 2.1.1\DeepClean (dels some files).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\system32\taskkill.exe
  taskkill /f /im dnf.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\system32\taskkill.exe
  taskkill /f /im DNF.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CrossProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- C:\Windows\system32\taskkill.exe
  taskkill /f /im tensafe_1.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\system32\taskkill.exe
  taskkill /f /im TenSafe_1.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\system32\taskkill.exe
  taskkill /f /im tensafe_2.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\system32\taskkill.exe
  taskkill /f /im tencentdl.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\system32\taskkill.exe
  taskkill /f /im TenioDL.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\system32\taskkill.exe
  taskkill /f /im uishell.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BackgroundDownloader.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\system32\taskkill.exe
  taskkill /f /im conime.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\system32\taskkill.exe
  taskkill /f /im QQDL.EXE
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\system32\taskkill.exe
  taskkill /f /im qqlogin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\system32\taskkill.exe
  taskkill /f /im dnfchina.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\system32\taskkill.exe
  taskkill /f /im dnfchinatest.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\system32\taskkill.exe
  taskkill /f /im dnf.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\system32\taskkill.exe
  taskkill /f /im txplatform.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\system32\taskkill.exe
  taskkill /f /im TXPlatform.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OriginWebHelperService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Origin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OriginClientService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OriginER.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OriginThinSetupInternal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OriginLegacyCLI.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Agent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Client.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:4072
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {29840-28796-3455-1173} /f
  2⤵
  - Modifies registry key
  PID:3756
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {29603-11640-7980-4073} /f
  2⤵
  - Modifies registry key
  PID:2828
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 16855-24212-29687-10092 /f
  2⤵
  - Modifies registry key
  PID:1488
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 20192-31998-1893-25441 /f
  2⤵
  - Modifies registry key
  PID:3640
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:3912
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:2216
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
  2⤵
  PID:1292
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:4208
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
  2⤵
  PID:4280
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f
  2⤵
  PID:2556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads