f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner4.bat
Size

111KB
MD5

7d29dc3ace16b45ae3b437cf8aa7d65f
SHA1

fbcfde13c5522d808c321c58291cfa962f104655
SHA256

317142fae707cbac948083d56b1163aa5a6a1b9270031d9e49ea79214ebe99ef
SHA512

333d36985afdbe68fbe455d3f59cbe6fc77b0669de44194e07ca28dece06505a1bd5c354ef132df70b936f7ba2740241046b75ab86afbd4728c0da5371e576d9
SSDEEP

768:zo9R/KZzmezF/svUsfg8gVhCBL1oPYdxCA1n5xpoL8oPlRPrPEPupL5LvLpLjLg3:E9xg8gUDRnvplQL5LvLpLjLnC

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2636 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2908 cmd.exe

pid	process
2636	netsh.exe

pid	process
2908	cmd.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2796	taskkill.exe
1536	taskkill.exe
2512	taskkill.exe
2688	taskkill.exe
2324	taskkill.exe
2388	taskkill.exe
2720	taskkill.exe
2900	taskkill.exe
2652	taskkill.exe
2712	taskkill.exe
2552	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2908 wrote to memory of 2224	2908	cmd.exe	cacls.exe
PID 2908 wrote to memory of 2224	2908	cmd.exe	cacls.exe
PID 2908 wrote to memory of 2224	2908	cmd.exe	cacls.exe
PID 2908 wrote to memory of 2900	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2900	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2900	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2652	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2652	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2652	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2712	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2712	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2712	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2796	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2796	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2796	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2552	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2552	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2552	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2688	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2688	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2688	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 1536	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 1536	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 1536	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2324	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2324	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2324	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2388	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2388	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2388	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2512	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2512	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2512	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2720	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2720	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2720	2908	cmd.exe	taskkill.exe
PID 2908 wrote to memory of 2408	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2408	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2408	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1556	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1556	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1556	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 108	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 108	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 108	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1868	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1868	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1868	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1508	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1508	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1508	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1348	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1348	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1348	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2368	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2368	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2368	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1516	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1516	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 1516	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2380	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2380	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2380	2908	cmd.exe	reg.exe
PID 2908 wrote to memory of 2696	2908	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner4.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2224
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicWebHelper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
  2⤵
  PID:2408
- C:\Windows\system32\reg.exe
  reg delete "HKCU\SOFTWARE\Epic Games" /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:108
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
  2⤵
  PID:1868
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
  2⤵
  PID:1348
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
  2⤵
  PID:2624
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
  2⤵
  PID:2592
- C:\Windows\system32\reg.exe
  reg delete "HKCR\com.epicgames.eos" /f
  2⤵
  PID:2604
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2620
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
  2⤵
  PID:2284
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads