Overview
overview
9Static
static
3PH Spoofer1.1.rar
windows7-x64
3PH Spoofer1.1.rar
windows10-2004-x64
3Cleaner1 R...IN.bat
windows7-x64
8Cleaner1 R...IN.bat
windows10-2004-x64
8Cleaner2.bat
windows7-x64
7Cleaner2.bat
windows10-2004-x64
1Cleaner3.bat
windows7-x64
1Cleaner3.bat
windows10-2004-x64
1Cleaner4.bat
windows7-x64
8Cleaner4.bat
windows10-2004-x64
8Cleaner5.bat
windows7-x64
7Cleaner5.bat
windows10-2004-x64
5Cleaner6.bat
windows7-x64
7Cleaner6.bat
windows10-2004-x64
7Cleaner7.bat
windows7-x64
8Cleaner7.bat
windows10-2004-x64
8MAC.cmd
windows7-x64
1MAC.cmd
windows10-2004-x64
1PH Spoofer.exe
windows7-x64
9PH Spoofer.exe
windows10-2004-x64
9Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
PH Spoofer1.1.rar
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
PH Spoofer1.1.rar
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Cleaner1 RUN ALL AS ADMIN.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Cleaner1 RUN ALL AS ADMIN.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
Cleaner2.bat
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Cleaner2.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
Cleaner3.bat
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
Cleaner3.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
Cleaner4.bat
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
Cleaner4.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
Cleaner5.bat
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Cleaner5.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
Cleaner6.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Cleaner6.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
Cleaner7.bat
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
Cleaner7.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
MAC.cmd
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
MAC.cmd
Resource
win10v2004-20240419-en
Behavioral task
behavioral19
Sample
PH Spoofer.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
PH Spoofer.exe
Resource
win10v2004-20240419-en
General
-
Target
Cleaner7.bat
-
Size
253KB
-
MD5
c26c52657c60cd9590dc11c8d6f563a5
-
SHA1
7517d767b64d983fa28545dbedb76c937049e775
-
SHA256
54ed81f8e76aba8298bd302f872b4e1bbabaee272575c39e0f18ddc23ad6c2f3
-
SHA512
8844ec48ee632c59d4cd7421856e4cd160bdea86e4100fac72ae321cd6cb934352f85aaa3b727fd17a9e96c10592c013d44fe12d5850edfbc479df23b92cf00a
-
SSDEEP
1536:VNoZxBOz2oCfgCWfr3bwUWgn8q01L5LvLpLjL5sff4oH9sffzs:UfgCW4UWgnh4oH9qzs
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2908 cmd.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2208 sc.exe 1568 sc.exe 832 sc.exe 1600 sc.exe -
Kills process with taskkill 15 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2636 taskkill.exe 1716 taskkill.exe 2432 taskkill.exe 2460 taskkill.exe 1788 taskkill.exe 2312 taskkill.exe 2436 taskkill.exe 2384 taskkill.exe 2260 taskkill.exe 2584 taskkill.exe 2920 taskkill.exe 2900 taskkill.exe 2644 taskkill.exe 2744 taskkill.exe 2740 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2260 taskkill.exe Token: SeDebugPrivilege 2584 taskkill.exe Token: SeDebugPrivilege 2636 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 2312 taskkill.exe Token: SeDebugPrivilege 2920 taskkill.exe Token: SeDebugPrivilege 2432 taskkill.exe Token: SeDebugPrivilege 2384 taskkill.exe Token: SeDebugPrivilege 2460 taskkill.exe Token: SeDebugPrivilege 2436 taskkill.exe Token: SeDebugPrivilege 2900 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 2644 taskkill.exe Token: SeDebugPrivilege 2744 taskkill.exe Token: SeDebugPrivilege 2740 taskkill.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
cmd.exedescription pid process target process PID 2908 wrote to memory of 2912 2908 cmd.exe cacls.exe PID 2908 wrote to memory of 2912 2908 cmd.exe cacls.exe PID 2908 wrote to memory of 2912 2908 cmd.exe cacls.exe PID 2908 wrote to memory of 2260 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2260 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2260 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2584 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2584 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2584 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2636 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2636 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2636 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 1716 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 1716 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 1716 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2312 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2312 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2312 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2920 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2920 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2920 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2432 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2432 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2432 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2384 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2384 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2384 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2460 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2460 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2460 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2436 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2436 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2436 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2900 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2900 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2900 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 1788 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 1788 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 1788 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2644 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2644 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2644 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2744 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2744 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2744 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2740 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2740 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2740 2908 cmd.exe taskkill.exe PID 2908 wrote to memory of 2208 2908 cmd.exe sc.exe PID 2908 wrote to memory of 2208 2908 cmd.exe sc.exe PID 2908 wrote to memory of 2208 2908 cmd.exe sc.exe PID 2908 wrote to memory of 1568 2908 cmd.exe sc.exe PID 2908 wrote to memory of 1568 2908 cmd.exe sc.exe PID 2908 wrote to memory of 1568 2908 cmd.exe sc.exe PID 2908 wrote to memory of 832 2908 cmd.exe sc.exe PID 2908 wrote to memory of 832 2908 cmd.exe sc.exe PID 2908 wrote to memory of 832 2908 cmd.exe sc.exe PID 2908 wrote to memory of 1600 2908 cmd.exe sc.exe PID 2908 wrote to memory of 1600 2908 cmd.exe sc.exe PID 2908 wrote to memory of 1600 2908 cmd.exe sc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner7.bat"1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im PerfWatson2.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im vgtray.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeSc stop EasyAntiCheat2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeSc stop FortniteClient-Win64-Shipping_EAC2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeSc stop BattleEye2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeSc stop FortniteClient-Win64-Shipping_BE2⤵
- Launches sc.exe