f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Analysis

max time kernel
66s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner1 RUN ALL AS ADMIN.bat
Size

4KB
MD5

ccf667986586fc0ee3a0898629a36ede
SHA1

6ffaec4689d257344f8edd02d44d8388280fb162
SHA256

ca7dfbc65c1fde66413b5dd06f763cbe6b8be78c2a3b88030ccd5dfac23c07df
SHA512

3e7f9b8df4c455595b57c18917ab9092f5cbd08545116788bcfa709e9edc79c36dae51493da7dc19ba04f69067a420755379a5b11a73205bd05b569f3c0c7ff3
SSDEEP

48:5eB5uGLW8FktI/JHeUsY200qfDTfbi5t2Qzt2Nt2QVt2ttUFt2AAt2Aop+RAULJY:oHeZY2ELTTqMQPdwYrOPT

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4656 netsh.exe

pid	process
4656	netsh.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4896	taskkill.exe
4184	taskkill.exe
2028	taskkill.exe
2220	taskkill.exe
2192	taskkill.exe
2068	taskkill.exe
4864	taskkill.exe
4668	taskkill.exe
4684	taskkill.exe
1220	taskkill.exe
3848	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2864 wrote to memory of 2068	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 2068	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4864	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4864	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4668	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4668	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4684	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4684	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4896	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4896	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4184	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4184	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 1220	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 1220	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 2028	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 2028	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 3848	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 3848	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 2220	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 2220	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 2192	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 2192	2864	cmd.exe	taskkill.exe
PID 2864 wrote to memory of 4404	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4404	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5108	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5108	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5092	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5092	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3632	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3632	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1516	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1516	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5060	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5060	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4372	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4372	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3376	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3376	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3016	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3016	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4536	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4536	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1324	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1324	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2016	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2016	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1264	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1264	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4348	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4348	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1884	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1884	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2092	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 2092	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1408	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1408	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1904	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 1904	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4656	2864	cmd.exe	netsh.exe
PID 2864 wrote to memory of 4656	2864	cmd.exe	netsh.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner1 RUN ALL AS ADMIN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicWebHelper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
  2⤵
  PID:4404
- C:\Windows\system32\reg.exe
  reg delete "HKCU\SOFTWARE\Epic Games" /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
  2⤵
  PID:3632
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:5060
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
  2⤵
  PID:4372
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
  2⤵
  PID:3376
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:3016
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:4536
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:1324
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:1264
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
  2⤵
  PID:4348
- C:\Windows\system32\reg.exe
  reg delete "HKCR\com.epicgames.eos" /f
  2⤵
  PID:1884
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\EpicGames" /f
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
  2⤵
  PID:1904
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads