f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Resubmissions

28-04-2024 18:37

240428-w9rt9sed4s 9

28-04-2024 18:36

240428-w875vsea56 9

Analysis

max time kernel
67s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner1 RUN ALL AS ADMIN.bat
Size

4KB
MD5

ccf667986586fc0ee3a0898629a36ede
SHA1

6ffaec4689d257344f8edd02d44d8388280fb162
SHA256

ca7dfbc65c1fde66413b5dd06f763cbe6b8be78c2a3b88030ccd5dfac23c07df
SHA512

3e7f9b8df4c455595b57c18917ab9092f5cbd08545116788bcfa709e9edc79c36dae51493da7dc19ba04f69067a420755379a5b11a73205bd05b569f3c0c7ff3
SSDEEP

48:5eB5uGLW8FktI/JHeUsY200qfDTfbi5t2Qzt2Nt2QVt2ttUFt2AAt2Aop+RAULJY:oHeZY2ELTTqMQPdwYrOPT

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3184 netsh.exe

pid	process
3184	netsh.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3004	taskkill.exe
2740	taskkill.exe
2628	taskkill.exe
3892	taskkill.exe
2736	taskkill.exe
1696	taskkill.exe
4472	taskkill.exe
208	taskkill.exe
556	taskkill.exe
2772	taskkill.exe
1120	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 4220 wrote to memory of 2628	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 2628	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 2772	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 2772	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 1120	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 1120	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 3892	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 3892	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 2736	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 2736	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 3004	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 3004	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 1696	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 1696	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 4472	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 4472	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 208	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 208	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 2740	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 2740	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 556	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 556	4220	cmd.exe	taskkill.exe
PID 4220 wrote to memory of 4832	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4832	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1140	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1140	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 3208	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 3208	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 3460	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 3460	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1500	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1500	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4996	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4996	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 680	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 680	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 3864	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 3864	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1472	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1472	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 2392	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 2392	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 2804	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 2804	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 768	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 768	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4180	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4180	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1128	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1128	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4892	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4892	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1968	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 1968	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4628	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4628	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4400	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 4400	4220	cmd.exe	reg.exe
PID 4220 wrote to memory of 3184	4220	cmd.exe	netsh.exe
PID 4220 wrote to memory of 3184	4220	cmd.exe	netsh.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner1 RUN ALL AS ADMIN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicWebHelper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
  2⤵
  PID:4832
- C:\Windows\system32\reg.exe
  reg delete "HKCU\SOFTWARE\Epic Games" /f
  2⤵
  PID:1140
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3208
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
  2⤵
  PID:3460
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
  2⤵
  PID:1500
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
  2⤵
  PID:680
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
  2⤵
  PID:3864
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:1472
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:2392
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
  2⤵
  PID:768
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:4180
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  reg delete "HKCR\com.epicgames.eos" /f
  2⤵
  PID:4892
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:1968
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\EpicGames" /f
  2⤵
  PID:4628
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
  2⤵
  PID:4400
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads