f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

Analysis

max time kernel
55s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaner4.bat
Size

111KB
MD5

7d29dc3ace16b45ae3b437cf8aa7d65f
SHA1

fbcfde13c5522d808c321c58291cfa962f104655
SHA256

317142fae707cbac948083d56b1163aa5a6a1b9270031d9e49ea79214ebe99ef
SHA512

333d36985afdbe68fbe455d3f59cbe6fc77b0669de44194e07ca28dece06505a1bd5c354ef132df70b936f7ba2740241046b75ab86afbd4728c0da5371e576d9
SSDEEP

768:zo9R/KZzmezF/svUsfg8gVhCBL1oPYdxCA1n5xpoL8oPlRPrPEPupL5LvLpLjLg3:E9xg8gUDRnvplQL5LvLpLjLnC

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2644 netsh.exe

pid	process
2644	netsh.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1164	taskkill.exe
3976	taskkill.exe
4688	taskkill.exe
1392	taskkill.exe
3292	taskkill.exe
2852	taskkill.exe
3808	taskkill.exe
4680	taskkill.exe
2292	taskkill.exe
4004	taskkill.exe
5008	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2924 wrote to memory of 4232	2924	cmd.exe	cacls.exe
PID 2924 wrote to memory of 4232	2924	cmd.exe	cacls.exe
PID 2924 wrote to memory of 1392	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 1392	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 3292	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 3292	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 2292	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 2292	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 4004	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 4004	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 5008	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 5008	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 3808	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 3808	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 2852	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 2852	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 1164	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 1164	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 3976	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 3976	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 4680	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 4680	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 4688	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 4688	2924	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 3892	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3892	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 5092	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 5092	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 1092	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 1092	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 368	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 368	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3420	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3420	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2876	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2876	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4328	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4328	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3788	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3788	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4084	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4084	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2840	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2840	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 1452	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 1452	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4068	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4068	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 956	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 956	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4708	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4708	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4768	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 4768	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2236	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2236	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3404	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 3404	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2644	2924	cmd.exe	netsh.exe
PID 2924 wrote to memory of 2644	2924	cmd.exe	netsh.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cleaner4.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4232
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicWebHelper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EpicOnlineServices" /f
  2⤵
  PID:3892
- C:\Windows\system32\reg.exe
  reg delete "HKCU\SOFTWARE\Epic Games" /f
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Classes\com.epicgames.launcher" /f
  2⤵
  PID:1092
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /f
  2⤵
  PID:368
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\BEDaisy" /f
  2⤵
  PID:3420
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEDaisy" /f
  2⤵
  PID:2876
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f
  2⤵
  PID:4328
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f
  2⤵
  PID:3788
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /f
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\WOW6432Node\Epic Games" /f
  2⤵
  PID:1452
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged" /f
  2⤵
  PID:4068
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:956
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher" /f
  2⤵
  PID:4708
- C:\Windows\system32\reg.exe
  reg delete "HKCR\com.epicgames.eos" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-18\Software\Epic Games" /f
  2⤵
  PID:3404
- C:\Windows\system32\netsh.exe
  netsh advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads