f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner7.bat
Size

253KB
MD5

c26c52657c60cd9590dc11c8d6f563a5
SHA1

7517d767b64d983fa28545dbedb76c937049e775
SHA256

54ed81f8e76aba8298bd302f872b4e1bbabaee272575c39e0f18ddc23ad6c2f3
SHA512

8844ec48ee632c59d4cd7421856e4cd160bdea86e4100fac72ae321cd6cb934352f85aaa3b727fd17a9e96c10592c013d44fe12d5850edfbc479df23b92cf00a
SSDEEP

1536:VNoZxBOz2oCfgCWfr3bwUWgn8q01L5LvLpLjL5sff4oH9sffzs:UfgCW4UWgnh4oH9qzs

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2692 cmd.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2824 sc.exe
2864 sc.exe
2812 sc.exe
276 sc.exe

pid	process
2692	cmd.exe

pid	process
2824	sc.exe
2864	sc.exe
2812	sc.exe
276	sc.exe

Kills process with taskkill 15 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3016	taskkill.exe
2680	taskkill.exe
2580	taskkill.exe
2000	taskkill.exe
2476	taskkill.exe
1432	taskkill.exe
784	taskkill.exe
1040	taskkill.exe
2756	taskkill.exe
2584	taskkill.exe
2832	taskkill.exe
588	taskkill.exe
1568	taskkill.exe
2400	taskkill.exe
1804	taskkill.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	784	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2692 wrote to memory of 2496	2692	cmd.exe	cacls.exe
PID 2692 wrote to memory of 2496	2692	cmd.exe	cacls.exe
PID 2692 wrote to memory of 2496	2692	cmd.exe	cacls.exe
PID 2692 wrote to memory of 3016	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 3016	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 3016	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2680	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2680	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2680	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2756	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2756	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2756	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2584	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2584	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2584	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2580	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2580	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2580	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2000	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2000	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2000	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2400	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2400	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2400	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2476	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2476	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2476	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2832	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2832	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2832	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1804	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1804	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1804	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1432	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1432	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1432	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 588	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 588	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 588	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 784	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 784	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 784	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1040	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1040	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1040	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1568	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1568	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 1568	2692	cmd.exe	taskkill.exe
PID 2692 wrote to memory of 2824	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 2824	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 2824	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 2864	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 2864	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 2864	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 2812	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 2812	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 2812	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 276	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 276	2692	cmd.exe	sc.exe
PID 2692 wrote to memory of 276	2692	cmd.exe	sc.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner7.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:2496

C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\taskkill.exe
taskkill /f /im UnrealCEFSubProcess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\taskkill.exe
taskkill /f /im CEFProcess.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\system32\taskkill.exe
taskkill /f /im PerfWatson2.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\taskkill.exe
taskkill /f /im vgtray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\sc.exe
Sc stop EasyAntiCheat
2⤵
- Launches sc.exe
PID:2824

C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_EAC
2⤵
- Launches sc.exe
PID:2864

C:\Windows\system32\sc.exe
Sc stop BattleEye
2⤵
- Launches sc.exe
PID:2812

C:\Windows\system32\sc.exe
Sc stop FortniteClient-Win64-Shipping_BE
2⤵
- Launches sc.exe
PID:276

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads