f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Resubmissions

28-04-2024 18:37

240428-w9rt9sed4s 9

28-04-2024 18:36

240428-w875vsea56 9

Analysis

max time kernel
67s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner7.bat
Size

253KB
MD5

c26c52657c60cd9590dc11c8d6f563a5
SHA1

7517d767b64d983fa28545dbedb76c937049e775
SHA256

54ed81f8e76aba8298bd302f872b4e1bbabaee272575c39e0f18ddc23ad6c2f3
SHA512

8844ec48ee632c59d4cd7421856e4cd160bdea86e4100fac72ae321cd6cb934352f85aaa3b727fd17a9e96c10592c013d44fe12d5850edfbc479df23b92cf00a
SSDEEP

1536:VNoZxBOz2oCfgCWfr3bwUWgn8q01L5LvLpLjL5sff4oH9sffzs:UfgCW4UWgnh4oH9qzs

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4324 sc.exe
4392 sc.exe
1504 sc.exe
1072 sc.exe

pid	process
4324	sc.exe
4392	sc.exe
1504	sc.exe
1072	sc.exe

Kills process with taskkill 15 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2944	taskkill.exe
1284	taskkill.exe
4088	taskkill.exe
816	taskkill.exe
4964	taskkill.exe
3680	taskkill.exe
1052	taskkill.exe
4168	taskkill.exe
2488	taskkill.exe
728	taskkill.exe
3420	taskkill.exe
2684	taskkill.exe
3188	taskkill.exe
4100	taskkill.exe
4924	taskkill.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 452 wrote to memory of 448	452	cmd.exe	cacls.exe
PID 452 wrote to memory of 448	452	cmd.exe	cacls.exe
PID 452 wrote to memory of 4964	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4964	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 3680	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 3680	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4100	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4100	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 2684	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 2684	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4168	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4168	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 2944	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 2944	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 1284	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 1284	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4088	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4088	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 3188	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 3188	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 728	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 728	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 816	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 816	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 3420	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 3420	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 2488	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 2488	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4924	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4924	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 1052	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 1052	452	cmd.exe	taskkill.exe
PID 452 wrote to memory of 4392	452	cmd.exe	sc.exe
PID 452 wrote to memory of 4392	452	cmd.exe	sc.exe
PID 452 wrote to memory of 1504	452	cmd.exe	sc.exe
PID 452 wrote to memory of 1504	452	cmd.exe	sc.exe
PID 452 wrote to memory of 1072	452	cmd.exe	sc.exe
PID 452 wrote to memory of 1072	452	cmd.exe	sc.exe
PID 452 wrote to memory of 4324	452	cmd.exe	sc.exe
PID 452 wrote to memory of 4324	452	cmd.exe	sc.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:448

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\taskkill.exe
taskkill /f /im PerfWatson2.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\taskkill.exe
taskkill /f /im vgtray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
2⤵
- Launches sc.exe
PID:4392

C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
2⤵
- Launches sc.exe
PID:1504

C:\Windows\system32\sc.exe
Sc stop BattleEye
2⤵
- Launches sc.exe
PID:1072

C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
2⤵
- Launches sc.exe
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads