Overview

overview

10

Static

static

3

csgo-cs2-s...in.zip

windows7-x64

1

csgo-cs2-s...in.zip

windows10-2004-x64

1

csgo-cs2-s...DME.md

windows7-x64

3

csgo-cs2-s...DME.md

windows10-2004-x64

3

csgo-cs2-s...er.bat

windows7-x64

1

csgo-cs2-s...er.bat

windows10-2004-x64

1

csgo-cs2-s...th.hpp

windows7-x64

3

csgo-cs2-s...th.hpp

windows10-2004-x64

3

csgo-cs2-s...or.hpp

windows7-x64

3

csgo-cs2-s...or.hpp

windows10-2004-x64

3

csgo-cs2-s...er.hpp

windows7-x64

3

csgo-cs2-s...er.hpp

windows10-2004-x64

3

csgo-cs2-s...in.cpp

windows7-x64

3

csgo-cs2-s...in.cpp

windows10-2004-x64

3

csgo-cs2-s...ther.h

windows7-x64

3

csgo-cs2-s...ther.h

windows10-2004-x64

3

csgo-cs2-s...urce.h

windows7-x64

3

csgo-cs2-s...urce.h

windows10-2004-x64

3

csgo-cs2-s...rstr.h

windows7-x64

3

csgo-cs2-s...rstr.h

windows10-2004-x64

3

csgo-cs2-s...er.exe

windows7-x64

10

csgo-cs2-s...er.exe

windows10-2004-x64

10

csgo-cs2-s...an.bat

windows7-x64

8

csgo-cs2-s...an.bat

windows10-2004-x64

8

csgo-cs2-s...ig.hpp

windows7-x64

3

csgo-cs2-s...ig.hpp

windows10-2004-x64

3

csgo-cs2-s...ui.cpp

windows7-x64

3

csgo-cs2-s...ui.cpp

windows10-2004-x64

3

csgo-cs2-s...ui.hpp

windows7-x64

3

csgo-cs2-s...ui.hpp

windows10-2004-x64

3

csgo-cs2-s...aw.cpp

windows7-x64

3

csgo-cs2-s...aw.cpp

windows10-2004-x64

3

Resubmissions

16-03-2024 00:38

240316-azfhlahb59 10

16-03-2024 00:34

240316-aw1z5aha92 10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    csgo-cs2-spoofer-main/Taskbar.Kill/Taskkill_clean.bat

  • Size

    2KB

  • MD5

    712c005ebe175282f4fd644144f8bcd5

  • SHA1

    e3167aa2650dc6d15f295a6de9e2b83211f565c3

  • SHA256

    540ba332bbf723178fe9b662c528dfa91e0aa08f924f4d557664316b2649507a

  • SHA512

    108021facba33c0297490defa830947fc437d3f1522c8fb874f52d4235b77ecdc88ae66537b2c07c89815b31a38e756207e0d4ca5d2ca6b134939fc2fc2481a1

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 45 IoCs
    evasion
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\csgo-cs2-spoofer-main\Taskbar.Kill\Taskkill_clean.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat_Setup.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2436
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicWebHelper.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService_x64.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2328
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:804
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im smartscreen.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1900
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:772
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im DNF.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im CrossProxy.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:808
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenSafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_2.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tencentdl.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1212
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenioDL.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im uishell.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BackgroundDownloader.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:668
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im conime.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im QQDL.EXE
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:640
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im qqlogin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchina.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1128
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchinatest.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2404
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im txplatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:700
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TXPlatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginWebHelperService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Origin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:776
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginClientService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginER.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2416
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginThinSetupInternal.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginLegacyCLI.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Agent.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Client.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\system32\sc.exe
      sc stop Steam
      2⤵
      • Launches sc.exe
      PID:1916
    • C:\Windows\system32\sc.exe
      sc stop BEService
      2⤵
      • Launches sc.exe
      PID:3024
    • C:\Windows\system32\sc.exe
      sc stop EasyAntiCheat
      2⤵
      • Launches sc.exe
      PID:1500
    • C:\Windows\system32\sc.exe
      sc stop PunkBuster
      2⤵
      • Launches sc.exe
      PID:1016
    • C:\Windows\system32\sc.exe
      sc stop Vanguard
      2⤵
      • Launches sc.exe
      PID:1740
    • C:\Windows\system32\sc.exe
      sc stop ricocheat
      2⤵
      • Launches sc.exe
      PID:2072
    • C:\Windows\system32\sc.exe
      sc stop defender
      2⤵
      • Launches sc.exe
      PID:888
    • C:\Windows\system32\sc.exe
      sc stop firewall
      2⤵
      • Launches sc.exe
      PID:1692
    • C:\Windows\system32\sc.exe
      sc stop explorer
      2⤵
      • Launches sc.exe
      PID:2300
    • C:\Windows\system32\PING.EXE
      ping -n 1 google.com
      2⤵
      • Runs ping.exe
      PID:1716
    • C:\Windows\system32\netsh.exe
      netsh wlan connect name="your_wifi_network_name"
      2⤵
        PID:2800
      • C:\Windows\system32\PING.EXE
        ping -n 1 google.com
        2⤵
        • Runs ping.exe
        PID:2540
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        2⤵
        • Gathers network information
        PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads