f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Resubmissions

28-04-2024 18:37

240428-w9rt9sed4s 9

28-04-2024 18:36

240428-w875vsea56 9

Analysis

max time kernel
134s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner4.bat
Size

111KB
MD5

7d29dc3ace16b45ae3b437cf8aa7d65f
SHA1

fbcfde13c5522d808c321c58291cfa962f104655
SHA256

317142fae707cbac948083d56b1163aa5a6a1b9270031d9e49ea79214ebe99ef
SHA512

333d36985afdbe68fbe455d3f59cbe6fc77b0669de44194e07ca28dece06505a1bd5c354ef132df70b936f7ba2740241046b75ab86afbd4728c0da5371e576d9
SSDEEP

768:zo9R/KZzmezF/svUsfg8gVhCBL1oPYdxCA1n5xpoL8oPlRPrPEPupL5LvLpLjLg3:E9xg8gUDRnvplQL5LvLpLjLnC

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3460 netsh.exe

pid	process
3460	netsh.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4324	taskkill.exe
812	taskkill.exe
2220	taskkill.exe
4088	taskkill.exe
4896	taskkill.exe
2172	taskkill.exe
5096	taskkill.exe
4660	taskkill.exe
1036	taskkill.exe
3272	taskkill.exe
4852	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	3272	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	4852	taskkill.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2828 wrote to memory of 3800	2828	cmd.exe	cacls.exe
PID 2828 wrote to memory of 3800	2828	cmd.exe	cacls.exe
PID 2828 wrote to memory of 2220	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 2220	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4088	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4088	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 1036	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 1036	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4896	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4896	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 2172	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 2172	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 5096	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 5096	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 3272	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 3272	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4660	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4660	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4324	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4324	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 812	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 812	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4852	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 4852	2828	cmd.exe	taskkill.exe
PID 2828 wrote to memory of 3912	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 3912	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 1988	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 1988	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 1248	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 1248	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4876	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4876	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4804	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4804	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4220	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4220	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 5092	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 5092	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 1752	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 1752	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 3160	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 3160	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 332	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 332	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4564	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4564	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4556	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4556	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2140	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2140	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4992	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 4992	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2232	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2232	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2264	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2264	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 3944	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 3944	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 3460	2828	cmd.exe	netsh.exe
PID 2828 wrote to memory of 3460	2828	cmd.exe	netsh.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner4.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:3800
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicWebHelper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
  2⤵
  PID:3912
- C:\Windows\system32\reg.exe
  reg delete "HKCU\SOFTWARE\Epic Games" /f
  2⤵
  PID:1988
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1248
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
  2⤵
  PID:4804
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
  2⤵
  PID:4220
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:1752
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
  2⤵
  PID:3160
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:332
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:4564
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
  2⤵
  PID:4556
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
  2⤵
  PID:4992
- C:\Windows\system32\reg.exe
  reg delete "HKCR\com.epicgames.eos" /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
  2⤵
  PID:3944
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads