Overview

overview

9

Static

static

3

Cleaner1 R...IN.bat

windows7-x64

8

Cleaner1 R...IN.bat

windows10-2004-x64

8

Cleaner2.bat

windows7-x64

7

Cleaner2.bat

windows10-2004-x64

1

Cleaner3.bat

windows7-x64

1

Cleaner3.bat

windows10-2004-x64

1

Cleaner4.bat

windows7-x64

8

Cleaner4.bat

windows10-2004-x64

8

Cleaner5.bat

windows7-x64

7

Cleaner5.bat

windows10-2004-x64

5

Cleaner6.bat

windows7-x64

7

Cleaner6.bat

windows10-2004-x64

7

Cleaner7.bat

windows7-x64

8

Cleaner7.bat

windows10-2004-x64

8

MAC.cmd

windows7-x64

1

MAC.cmd

windows10-2004-x64

1

PH Spoofer.exe

windows7-x64

9

PH Spoofer.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    66s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cleaner7.bat

  • Size

    253KB

  • MD5

    c26c52657c60cd9590dc11c8d6f563a5

  • SHA1

    7517d767b64d983fa28545dbedb76c937049e775

  • SHA256

    54ed81f8e76aba8298bd302f872b4e1bbabaee272575c39e0f18ddc23ad6c2f3

  • SHA512

    8844ec48ee632c59d4cd7421856e4cd160bdea86e4100fac72ae321cd6cb934352f85aaa3b727fd17a9e96c10592c013d44fe12d5850edfbc479df23b92cf00a

  • SSDEEP

    1536:VNoZxBOz2oCfgCWfr3bwUWgn8q01L5LvLpLjL5sff4oH9sffzs:UfgCW4UWgnh4oH9qzs

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 15 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner7.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      2⤵
        PID:3864
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im epicgameslauncher.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4860
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1436
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteLauncher.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:552
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im OneDrive.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3368
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3820
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicGamesLauncher.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im UnrealCEFSubProcess.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5068
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im CEFProcess.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1864
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BEService.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3012
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BEServices.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BattleEye.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4768
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im PerfWatson2.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4236
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im vgtray.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2852
      • C:\Windows\system32\sc.exe
        Sc stop EasyAntiCheat
        2⤵
        • Launches sc.exe
        PID:60
      • C:\Windows\system32\sc.exe
        Sc stop FortniteClient-Win64-Shipping_EAC
        2⤵
        • Launches sc.exe
        PID:432
      • C:\Windows\system32\sc.exe
        Sc stop BattleEye
        2⤵
        • Launches sc.exe
        PID:4540
      • C:\Windows\system32\sc.exe
        Sc stop FortniteClient-Win64-Shipping_BE
        2⤵
        • Launches sc.exe
        PID:4396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads