Overview

overview

10

Static

static

3

csgo-cs2-s...in.zip

windows11-21h2-x64

1

csgo-cs2-s...er.bat

windows11-21h2-x64

1

csgo-cs2-s...er.exe

windows11-21h2-x64

10

csgo-cs2-s...an.bat

windows11-21h2-x64

8

csgo-cs2-s...ts.vbs

windows11-21h2-x64

1

Resubmissions

16-03-2024 00:38

240316-azfhlahb59 10

16-03-2024 00:34

240316-aw1z5aha92 10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-03-2024 00:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    csgo-cs2-spoofer-main/Taskbar.Kill/Taskkill_clean.bat

  • Size

    2KB

  • MD5

    712c005ebe175282f4fd644144f8bcd5

  • SHA1

    e3167aa2650dc6d15f295a6de9e2b83211f565c3

  • SHA256

    540ba332bbf723178fe9b662c528dfa91e0aa08f924f4d557664316b2649507a

  • SHA512

    108021facba33c0297490defa830947fc437d3f1522c8fb874f52d4235b77ecdc88ae66537b2c07c89815b31a38e756207e0d4ca5d2ca6b134939fc2fc2481a1

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 45 IoCs
    evasion
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\csgo-cs2-spoofer-main\Taskbar.Kill\Taskkill_clean.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1608
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:460
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4468
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4848
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4636
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4592
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4376
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat_Setup.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4596
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicWebHelper.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3288
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4020
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3024
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService_x64.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3392
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5096
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4896
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im smartscreen.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3576
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4280
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im DNF.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im CrossProxy.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5072
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenSafe_1.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tensafe_2.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im tencentdl.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TenioDL.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im uishell.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im BackgroundDownloader.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im conime.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im QQDL.EXE
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im qqlogin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4644
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchina.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnfchinatest.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im dnf.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:440
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im txplatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TXPlatform.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginWebHelperService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3312
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Origin.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3144
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginClientService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4092
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginER.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1388
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginThinSetupInternal.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im OriginLegacyCLI.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3852
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Agent.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im Client.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4928
    • C:\Windows\system32\sc.exe
      sc stop Steam
      2⤵
      • Launches sc.exe
      PID:4840
    • C:\Windows\system32\sc.exe
      sc stop BEService
      2⤵
      • Launches sc.exe
      PID:4404
    • C:\Windows\system32\sc.exe
      sc stop EasyAntiCheat
      2⤵
      • Launches sc.exe
      PID:760
    • C:\Windows\system32\sc.exe
      sc stop PunkBuster
      2⤵
      • Launches sc.exe
      PID:3876
    • C:\Windows\system32\sc.exe
      sc stop Vanguard
      2⤵
      • Launches sc.exe
      PID:4112
    • C:\Windows\system32\sc.exe
      sc stop ricocheat
      2⤵
      • Launches sc.exe
      PID:2064
    • C:\Windows\system32\sc.exe
      sc stop defender
      2⤵
      • Launches sc.exe
      PID:2988
    • C:\Windows\system32\sc.exe
      sc stop firewall
      2⤵
      • Launches sc.exe
      PID:4228
    • C:\Windows\system32\sc.exe
      sc stop explorer
      2⤵
      • Launches sc.exe
      PID:1712
    • C:\Windows\system32\PING.EXE
      ping -n 1 google.com
      2⤵
      • Runs ping.exe
      PID:708
    • C:\Windows\system32\netsh.exe
      netsh wlan connect name="your_wifi_network_name"
      2⤵
        PID:4592
      • C:\Windows\system32\PING.EXE
        ping -n 1 google.com
        2⤵
        • Runs ping.exe
        PID:372
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        2⤵
        • Gathers network information
        PID:812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads