Overview

overview

10

Static

static

3

csgo-cs2-s...in.zip

windows7-x64

1

csgo-cs2-s...in.zip

windows10-2004-x64

1

csgo-cs2-s...DME.md

windows7-x64

3

csgo-cs2-s...DME.md

windows10-2004-x64

3

csgo-cs2-s...er.bat

windows7-x64

1

csgo-cs2-s...er.bat

windows10-2004-x64

1

csgo-cs2-s...th.hpp

windows7-x64

3

csgo-cs2-s...th.hpp

windows10-2004-x64

3

csgo-cs2-s...or.hpp

windows7-x64

3

csgo-cs2-s...or.hpp

windows10-2004-x64

3

csgo-cs2-s...er.hpp

windows7-x64

3

csgo-cs2-s...er.hpp

windows10-2004-x64

3

csgo-cs2-s...in.cpp

windows7-x64

3

csgo-cs2-s...in.cpp

windows10-2004-x64

3

csgo-cs2-s...ther.h

windows7-x64

3

csgo-cs2-s...ther.h

windows10-2004-x64

3

csgo-cs2-s...urce.h

windows7-x64

3

csgo-cs2-s...urce.h

windows10-2004-x64

3

csgo-cs2-s...rstr.h

windows7-x64

3

csgo-cs2-s...rstr.h

windows10-2004-x64

3

csgo-cs2-s...er.exe

windows7-x64

10

csgo-cs2-s...er.exe

windows10-2004-x64

10

csgo-cs2-s...an.bat

windows7-x64

8

csgo-cs2-s...an.bat

windows10-2004-x64

8

csgo-cs2-s...ig.hpp

windows7-x64

3

csgo-cs2-s...ig.hpp

windows10-2004-x64

3

csgo-cs2-s...ui.cpp

windows7-x64

3

csgo-cs2-s...ui.cpp

windows10-2004-x64

3

csgo-cs2-s...ui.hpp

windows7-x64

3

csgo-cs2-s...ui.hpp

windows10-2004-x64

3

csgo-cs2-s...aw.cpp

windows7-x64

3

csgo-cs2-s...aw.cpp

windows10-2004-x64

3

Resubmissions

16-03-2024 00:38

240316-azfhlahb59 10

16-03-2024 00:34

240316-aw1z5aha92 10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    csgo-cs2-spoofer-main/Taskbar.Kill/Taskkill_clean.bat

  • Size

    2KB

  • MD5

    712c005ebe175282f4fd644144f8bcd5

  • SHA1

    e3167aa2650dc6d15f295a6de9e2b83211f565c3

  • SHA256

    540ba332bbf723178fe9b662c528dfa91e0aa08f924f4d557664316b2649507a

  • SHA512

    108021facba33c0297490defa830947fc437d3f1522c8fb874f52d4235b77ecdc88ae66537b2c07c89815b31a38e756207e0d4ca5d2ca6b134939fc2fc2481a1

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 45 IoCs
    evasion
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\csgo-cs2-spoofer-main\Taskbar.Kill\Taskkill_clean.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4556
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4876
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:660
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:684
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4656
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2268
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4536
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat_Setup.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4816
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicWebHelper.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1276
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:380
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService_x64.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4352
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4244
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im smartscreen.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3736
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4644
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:520
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im DNF.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im CrossProxy.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenSafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_2.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3208
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tencentdl.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2024
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenioDL.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:836
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im uishell.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3616
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BackgroundDownloader.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im conime.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3764
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im QQDL.EXE
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im qqlogin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchina.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4724
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchinatest.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1904
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4192
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im txplatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4308
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TXPlatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginWebHelperService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3660
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Origin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4920
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginClientService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3936
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginER.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginThinSetupInternal.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:8
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginLegacyCLI.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3648
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Agent.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4768
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Client.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
    • C:\Windows\system32\sc.exe
      sc stop Steam
      2⤵
      • Launches sc.exe
      PID:1272
    • C:\Windows\system32\sc.exe
      sc stop BEService
      2⤵
      • Launches sc.exe
      PID:4568
    • C:\Windows\system32\sc.exe
      sc stop EasyAntiCheat
      2⤵
      • Launches sc.exe
      PID:2668
    • C:\Windows\system32\sc.exe
      sc stop PunkBuster
      2⤵
      • Launches sc.exe
      PID:1036
    • C:\Windows\system32\sc.exe
      sc stop Vanguard
      2⤵
      • Launches sc.exe
      PID:1544
    • C:\Windows\system32\sc.exe
      sc stop ricocheat
      2⤵
      • Launches sc.exe
      PID:1340
    • C:\Windows\system32\sc.exe
      sc stop defender
      2⤵
      • Launches sc.exe
      PID:1996
    • C:\Windows\system32\sc.exe
      sc stop firewall
      2⤵
      • Launches sc.exe
      PID:632
    • C:\Windows\system32\sc.exe
      sc stop explorer
      2⤵
      • Launches sc.exe
      PID:1224
    • C:\Windows\system32\PING.EXE
      ping -n 1 google.com
      2⤵
      • Runs ping.exe
      PID:4808
    • C:\Windows\system32\netsh.exe
      netsh wlan connect name="your_wifi_network_name"
      2⤵
        PID:1688
      • C:\Windows\system32\PING.EXE
        ping -n 1 google.com
        2⤵
        • Runs ping.exe
        PID:2808
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        2⤵
        • Gathers network information
        PID:2988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads