Overview
overview
9Static
static
3PH Spoofer1.1.rar
windows7-x64
3PH Spoofer1.1.rar
windows10-2004-x64
3Cleaner1 R...IN.bat
windows7-x64
8Cleaner1 R...IN.bat
windows10-2004-x64
8Cleaner2.bat
windows7-x64
7Cleaner2.bat
windows10-2004-x64
1Cleaner3.bat
windows7-x64
1Cleaner3.bat
windows10-2004-x64
1Cleaner4.bat
windows7-x64
8Cleaner4.bat
windows10-2004-x64
8Cleaner5.bat
windows7-x64
7Cleaner5.bat
windows10-2004-x64
5Cleaner6.bat
windows7-x64
7Cleaner6.bat
windows10-2004-x64
7Cleaner7.bat
windows7-x64
8Cleaner7.bat
windows10-2004-x64
8MAC.cmd
windows7-x64
1MAC.cmd
windows10-2004-x64
1PH Spoofer.exe
windows7-x64
9PH Spoofer.exe
windows10-2004-x64
9Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
PH Spoofer1.1.rar
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
PH Spoofer1.1.rar
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Cleaner1 RUN ALL AS ADMIN.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Cleaner1 RUN ALL AS ADMIN.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
Cleaner2.bat
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Cleaner2.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
Cleaner3.bat
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
Cleaner3.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
Cleaner4.bat
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
Cleaner4.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
Cleaner5.bat
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Cleaner5.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
Cleaner6.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Cleaner6.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
Cleaner7.bat
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
Cleaner7.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
MAC.cmd
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
MAC.cmd
Resource
win10v2004-20240419-en
Behavioral task
behavioral19
Sample
PH Spoofer.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
PH Spoofer.exe
Resource
win10v2004-20240419-en
General
-
Target
Cleaner1 RUN ALL AS ADMIN.bat
-
Size
4KB
-
MD5
ccf667986586fc0ee3a0898629a36ede
-
SHA1
6ffaec4689d257344f8edd02d44d8388280fb162
-
SHA256
ca7dfbc65c1fde66413b5dd06f763cbe6b8be78c2a3b88030ccd5dfac23c07df
-
SHA512
3e7f9b8df4c455595b57c18917ab9092f5cbd08545116788bcfa709e9edc79c36dae51493da7dc19ba04f69067a420755379a5b11a73205bd05b569f3c0c7ff3
-
SSDEEP
48:5eB5uGLW8FktI/JHeUsY200qfDTfbi5t2Qzt2Nt2QVt2ttUFt2AAt2Aop+RAULJY:oHeZY2ELTTqMQPdwYrOPT
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2884 netsh.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2860 cmd.exe -
Kills process with taskkill 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2368 taskkill.exe 2736 taskkill.exe 2472 taskkill.exe 2216 taskkill.exe 2440 taskkill.exe 2520 taskkill.exe 2984 taskkill.exe 2644 taskkill.exe 2816 taskkill.exe 2572 taskkill.exe 2168 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 2984 taskkill.exe Token: SeDebugPrivilege 2644 taskkill.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 2572 taskkill.exe Token: SeDebugPrivilege 2736 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 2472 taskkill.exe Token: SeDebugPrivilege 2216 taskkill.exe Token: SeDebugPrivilege 2440 taskkill.exe Token: SeDebugPrivilege 2520 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exedescription pid process target process PID 2860 wrote to memory of 2368 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2368 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2368 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2984 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2984 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2984 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2644 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2644 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2644 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2816 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2816 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2816 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2572 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2572 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2572 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2736 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2736 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2736 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2168 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2168 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2168 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2472 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2472 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2472 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2216 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2216 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2216 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2440 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2440 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2440 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2520 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2520 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2520 2860 cmd.exe taskkill.exe PID 2860 wrote to memory of 2888 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2888 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2888 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2892 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2892 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2892 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2032 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2032 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2032 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2284 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2284 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2284 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2928 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2928 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2928 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2172 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2172 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2172 2860 cmd.exe reg.exe PID 2860 wrote to memory of 1036 2860 cmd.exe reg.exe PID 2860 wrote to memory of 1036 2860 cmd.exe reg.exe PID 2860 wrote to memory of 1036 2860 cmd.exe reg.exe PID 2860 wrote to memory of 1944 2860 cmd.exe reg.exe PID 2860 wrote to memory of 1944 2860 cmd.exe reg.exe PID 2860 wrote to memory of 1944 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2432 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2432 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2432 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2720 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2720 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2720 2860 cmd.exe reg.exe PID 2860 wrote to memory of 2712 2860 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner1 RUN ALL AS ADMIN.bat"1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Epic Games" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\com.epicgames.eos" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\EpicGames" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall reset2⤵
- Modifies Windows Firewall