6bfb6cc367163788d1f1af479187b55a222150af3edc427718dddb8172c4f757

Analysis

max time kernel
121s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spooky-cleaner.exe
Size

15KB
MD5

c79ca8ddd76c54108754dca6fb880a00
SHA1

00065504f411c7a51d115058d38735fe204cf672
SHA256

6bfb6cc367163788d1f1af479187b55a222150af3edc427718dddb8172c4f757
SHA512

f5c9cdd128b581c9ddea4d6fe978df77d47f37aabb8a870146e85707cf8276b5f608f65886c6547551529f516d23fd25ea682e1667cac1aa5bcaa6339039294d
SSDEEP

192:5Zif8PLRDBalCNcdV4tmefZaNSNBtNplnhUvopB9/Zz8Q7cBtYiaAws681E3Q5tE:3DBaINcdVsmmZawNXz8Mcy3NT

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2252	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2748	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1260	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	1260	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2636	2264	spooky-cleaner.exe	30
PID 2264 wrote to memory of 2636	2264	spooky-cleaner.exe	30
PID 2264 wrote to memory of 2636	2264	spooky-cleaner.exe	30
PID 2636 wrote to memory of 2748	2636	cmd.exe	31
PID 2636 wrote to memory of 2748	2636	cmd.exe	31
PID 2636 wrote to memory of 2748	2636	cmd.exe	31
PID 2636 wrote to memory of 2764	2636	cmd.exe	32
PID 2636 wrote to memory of 2764	2636	cmd.exe	32
PID 2636 wrote to memory of 2764	2636	cmd.exe	32
PID 2264 wrote to memory of 2640	2264	spooky-cleaner.exe	34
PID 2264 wrote to memory of 2640	2264	spooky-cleaner.exe	34
PID 2264 wrote to memory of 2640	2264	spooky-cleaner.exe	34
PID 2264 wrote to memory of 2716	2264	spooky-cleaner.exe	35
PID 2264 wrote to memory of 2716	2264	spooky-cleaner.exe	35
PID 2264 wrote to memory of 2716	2264	spooky-cleaner.exe	35
PID 2264 wrote to memory of 2516	2264	spooky-cleaner.exe	36
PID 2264 wrote to memory of 2516	2264	spooky-cleaner.exe	36
PID 2264 wrote to memory of 2516	2264	spooky-cleaner.exe	36
PID 2264 wrote to memory of 2688	2264	spooky-cleaner.exe	37
PID 2264 wrote to memory of 2688	2264	spooky-cleaner.exe	37
PID 2264 wrote to memory of 2688	2264	spooky-cleaner.exe	37
PID 2264 wrote to memory of 2908	2264	spooky-cleaner.exe	38
PID 2264 wrote to memory of 2908	2264	spooky-cleaner.exe	38
PID 2264 wrote to memory of 2908	2264	spooky-cleaner.exe	38
PID 2264 wrote to memory of 2668	2264	spooky-cleaner.exe	39
PID 2264 wrote to memory of 2668	2264	spooky-cleaner.exe	39
PID 2264 wrote to memory of 2668	2264	spooky-cleaner.exe	39
PID 2668 wrote to memory of 2252	2668	cmd.exe	40
PID 2668 wrote to memory of 2252	2668	cmd.exe	40
PID 2668 wrote to memory of 2252	2668	cmd.exe	40
PID 2264 wrote to memory of 2672	2264	spooky-cleaner.exe	41
PID 2264 wrote to memory of 2672	2264	spooky-cleaner.exe	41
PID 2264 wrote to memory of 2672	2264	spooky-cleaner.exe	41
PID 2672 wrote to memory of 2676	2672	cmd.exe	42
PID 2672 wrote to memory of 2676	2672	cmd.exe	42
PID 2672 wrote to memory of 2676	2672	cmd.exe	42
PID 2264 wrote to memory of 2556	2264	spooky-cleaner.exe	43
PID 2264 wrote to memory of 2556	2264	spooky-cleaner.exe	43
PID 2264 wrote to memory of 2556	2264	spooky-cleaner.exe	43
PID 2264 wrote to memory of 2508	2264	spooky-cleaner.exe	44
PID 2264 wrote to memory of 2508	2264	spooky-cleaner.exe	44
PID 2264 wrote to memory of 2508	2264	spooky-cleaner.exe	44
PID 2264 wrote to memory of 2504	2264	spooky-cleaner.exe	45
PID 2264 wrote to memory of 2504	2264	spooky-cleaner.exe	45
PID 2264 wrote to memory of 2504	2264	spooky-cleaner.exe	45
PID 2264 wrote to memory of 2524	2264	spooky-cleaner.exe	46
PID 2264 wrote to memory of 2524	2264	spooky-cleaner.exe	46
PID 2264 wrote to memory of 2524	2264	spooky-cleaner.exe	46
PID 2264 wrote to memory of 2540	2264	spooky-cleaner.exe	47
PID 2264 wrote to memory of 2540	2264	spooky-cleaner.exe	47
PID 2264 wrote to memory of 2540	2264	spooky-cleaner.exe	47
PID 2264 wrote to memory of 2552	2264	spooky-cleaner.exe	48
PID 2264 wrote to memory of 2552	2264	spooky-cleaner.exe	48
PID 2264 wrote to memory of 2552	2264	spooky-cleaner.exe	48
PID 2264 wrote to memory of 2580	2264	spooky-cleaner.exe	49
PID 2264 wrote to memory of 2580	2264	spooky-cleaner.exe	49
PID 2264 wrote to memory of 2580	2264	spooky-cleaner.exe	49
PID 2264 wrote to memory of 2628	2264	spooky-cleaner.exe	50
PID 2264 wrote to memory of 2628	2264	spooky-cleaner.exe	50
PID 2264 wrote to memory of 2628	2264	spooky-cleaner.exe	50
PID 2264 wrote to memory of 1952	2264	spooky-cleaner.exe	51
PID 2264 wrote to memory of 1952	2264	spooky-cleaner.exe	51
PID 2264 wrote to memory of 1952	2264	spooky-cleaner.exe	51
PID 2264 wrote to memory of 2992	2264	spooky-cleaner.exe	52

C:\Users\Admin\AppData\Local\Temp\spooky-cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\spooky-cleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Steam.exe" 2>NUL | find /I /N "Steam.exe" > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Steam.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\system32\find.exe
    find /I /N "Steam.exe"
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /S /Q "C:\Program Files (x86)\Steam\userdata\*"
  2⤵
  PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /S /Q "C:\Program Files (x86)\Steam\dumps\*"
  2⤵
  PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /S /Q "C:\Program Files (x86)\Steam\logs\*"
  2⤵
  PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /S /Q "C:\Program Files (x86)\Steam\config\*"
  2⤵
  PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /S /Q "C:\Program Files (x86)\Steam\steamapps\*.acf"
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c timeout /t 4 /nobreak > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\timeout.exe
    timeout /t 4 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKCU\Software\Valve\Steam\Users" /va /f > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\Software\Valve\Steam\Users" /va /f
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd C:\
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.log /a /s /q /f
  2⤵
  PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.temp /a /s /q /f
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.tmp /a /s /q /f
  2⤵
  PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.bak /a /s /q /f
  2⤵
  PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.old /a /s /q /f
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.chk /a /s /q /f
  2⤵
  PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.mkd /a /s /q /f
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.pf /a /s /q /f
  2⤵
  PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del *.dlf /a /s /q /f
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM steam*
  2⤵
  PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd "C:\Program Files (x86)\Steam"
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q userdata
  2⤵
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q config
  2⤵
  PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q logs
  2⤵
  PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q dumps
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q appcache
  2⤵
  PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /A:H ssfn*
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %localappdata%
  2⤵
  PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q EasyAntiCheat
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "Facepunch Studios LTD"
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %appdata%
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "Facepunch Studios LTD"
  2⤵
  PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q EasyAntiCheat
  2⤵
  PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd ..
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd LocalLow
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q EasyAntiCheat
  2⤵
  PID:616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %UserProfile%
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "Facepunch Studios LTD"
  2⤵
  PID:312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q EasyAntiCheat
  2⤵
  PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "Facepunch Studios LTD"
  2⤵
  PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2188

C:\Windows\system32\taskkill.exe
taskkill /F /IM steam*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...