f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner1 RUN ALL AS ADMIN.bat
Size

4KB
MD5

ccf667986586fc0ee3a0898629a36ede
SHA1

6ffaec4689d257344f8edd02d44d8388280fb162
SHA256

ca7dfbc65c1fde66413b5dd06f763cbe6b8be78c2a3b88030ccd5dfac23c07df
SHA512

3e7f9b8df4c455595b57c18917ab9092f5cbd08545116788bcfa709e9edc79c36dae51493da7dc19ba04f69067a420755379a5b11a73205bd05b569f3c0c7ff3
SSDEEP

48:5eB5uGLW8FktI/JHeUsY200qfDTfbi5t2Qzt2Nt2QVt2ttUFt2AAt2Aop+RAULJY:oHeZY2ELTTqMQPdwYrOPT

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2776 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2684 cmd.exe

pid	process
2776	netsh.exe

pid	process
2684	cmd.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2852	taskkill.exe
2560	taskkill.exe
2584	taskkill.exe
2468	taskkill.exe
2444	taskkill.exe
3056	taskkill.exe
2640	taskkill.exe
2552	taskkill.exe
3052	taskkill.exe
2596	taskkill.exe
2440	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2684 wrote to memory of 2852	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2852	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2852	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 3056	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 3056	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 3056	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2560	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2560	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2560	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2640	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2640	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2640	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2552	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2552	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2552	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 3052	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 3052	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 3052	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2596	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2596	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2596	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2440	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2440	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2440	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2584	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2584	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2584	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2468	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2468	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2468	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2444	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2444	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2444	2684	cmd.exe	taskkill.exe
PID 2684 wrote to memory of 2908	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2908	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2908	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2984	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2984	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2984	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2464	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2464	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2464	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1992	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1992	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1992	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2916	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2916	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2916	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2076	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2076	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2076	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1056	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1056	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1056	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1072	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1072	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1072	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1188	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1188	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 1188	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2680	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2680	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2680	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2712	2684	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner1 RUN ALL AS ADMIN.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicWebHelper.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
2⤵
PID:2908

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Epic Games" /f
2⤵
PID:2984

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
2⤵
PID:2464

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
2⤵
PID:1992

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
2⤵
PID:2916

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
2⤵
PID:2076

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
2⤵
PID:1056

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
2⤵
PID:1072

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
2⤵
PID:1188

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
2⤵
PID:2680

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
2⤵
PID:2712

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
2⤵
PID:2736

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
2⤵
PID:2716

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
2⤵
PID:2744

C:\Windows\system32\reg.exe
reg delete "HKCR\com.epicgames.eos" /f
2⤵
PID:2700

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
2⤵
PID:2732

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\EpicGames" /f
2⤵
PID:2756

C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
2⤵
PID:2768

C:\Windows\system32\netsh.exe
netsh advfirewall reset
2⤵
- Modifies Windows Firewall
PID:2776

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads