f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Resubmissions

28-04-2024 18:37

240428-w9rt9sed4s 9

28-04-2024 18:36

240428-w875vsea56 9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner4.bat
Size

111KB
MD5

7d29dc3ace16b45ae3b437cf8aa7d65f
SHA1

fbcfde13c5522d808c321c58291cfa962f104655
SHA256

317142fae707cbac948083d56b1163aa5a6a1b9270031d9e49ea79214ebe99ef
SHA512

333d36985afdbe68fbe455d3f59cbe6fc77b0669de44194e07ca28dece06505a1bd5c354ef132df70b936f7ba2740241046b75ab86afbd4728c0da5371e576d9
SSDEEP

768:zo9R/KZzmezF/svUsfg8gVhCBL1oPYdxCA1n5xpoL8oPlRPrPEPupL5LvLpLjLg3:E9xg8gUDRnvplQL5LvLpLjLnC

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2928 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1684 cmd.exe

pid	process
2928	netsh.exe

pid	process
1684	cmd.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2504	taskkill.exe
2696	taskkill.exe
2560	taskkill.exe
2512	taskkill.exe
2412	taskkill.exe
2332	taskkill.exe
2544	taskkill.exe
2508	taskkill.exe
2232	taskkill.exe
2728	taskkill.exe
776	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1684 wrote to memory of 2316	1684	cmd.exe	cacls.exe
PID 1684 wrote to memory of 2316	1684	cmd.exe	cacls.exe
PID 1684 wrote to memory of 2316	1684	cmd.exe	cacls.exe
PID 1684 wrote to memory of 2332	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2332	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2332	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2544	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2544	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2544	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2504	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2504	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2504	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2696	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2696	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2696	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2508	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2508	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2508	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2232	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2232	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2232	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2560	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2560	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2560	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2728	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2728	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2728	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 776	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 776	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 776	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2512	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2512	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2512	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2412	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2412	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2412	1684	cmd.exe	taskkill.exe
PID 1684 wrote to memory of 2476	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2476	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2476	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1048	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1048	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1048	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 3000	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 3000	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 3000	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2452	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2452	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2452	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2920	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2920	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2920	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1324	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1324	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1324	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1448	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1448	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1448	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1832	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1832	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 1832	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2292	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2292	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 2292	1684	cmd.exe	reg.exe
PID 1684 wrote to memory of 824	1684	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner4.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2316
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicWebHelper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  reg delete "HKCU\SOFTWARE\Epic Games" /f
  2⤵
  PID:1048
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:3000
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
  2⤵
  PID:2452
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
  2⤵
  PID:2920
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
  2⤵
  PID:1324
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:1448
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:1832
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
  2⤵
  PID:2292
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:824
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
  2⤵
  PID:2488
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2580
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  reg delete "HKCR\com.epicgames.eos" /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
  2⤵
  PID:2896
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads