baae3127acf477fafa20bcbf3f3d6d63c73cb541236844841708136bea574d4e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HWID Spoofer/Cleaner.bat
Size

1KB
MD5

139c0fed46d0a8e9ea03bd45686f8e84
SHA1

4969ac8f2e002f7a2a15e1da60076bff5416d41f
SHA256

3ae29ef823ecfa08b99447b35bab89c1f2c7279cfbf557f9381720bb999d18e1
SHA512

cef0bba827b9e4b00dccd3b9eed8fa5ecca2b325c2a02add80337d564090ea54277f27ed6cd485f4c8c01e001c3bb945eafacac0f2e53116096805ee422b04d7

Score

3^/10

discovery

Malware Config

Signatures

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1792	PING.EXE
2692	PING.EXE
2940	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2808	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2660	taskkill.exe
2752	taskkill.exe
2688	taskkill.exe
2236	taskkill.exe
3044	taskkill.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1792	PING.EXE
2692	PING.EXE
2940	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1792	1584	cmd.exe	31
PID 1584 wrote to memory of 1792	1584	cmd.exe	31
PID 1584 wrote to memory of 1792	1584	cmd.exe	31
PID 1584 wrote to memory of 2236	1584	cmd.exe	33
PID 1584 wrote to memory of 2236	1584	cmd.exe	33
PID 1584 wrote to memory of 2236	1584	cmd.exe	33
PID 1584 wrote to memory of 3044	1584	cmd.exe	35
PID 1584 wrote to memory of 3044	1584	cmd.exe	35
PID 1584 wrote to memory of 3044	1584	cmd.exe	35
PID 1584 wrote to memory of 2660	1584	cmd.exe	36
PID 1584 wrote to memory of 2660	1584	cmd.exe	36
PID 1584 wrote to memory of 2660	1584	cmd.exe	36
PID 1584 wrote to memory of 2752	1584	cmd.exe	37
PID 1584 wrote to memory of 2752	1584	cmd.exe	37
PID 1584 wrote to memory of 2752	1584	cmd.exe	37
PID 1584 wrote to memory of 2688	1584	cmd.exe	38
PID 1584 wrote to memory of 2688	1584	cmd.exe	38
PID 1584 wrote to memory of 2688	1584	cmd.exe	38
PID 1584 wrote to memory of 2808	1584	cmd.exe	39
PID 1584 wrote to memory of 2808	1584	cmd.exe	39
PID 1584 wrote to memory of 2808	1584	cmd.exe	39
PID 1584 wrote to memory of 2692	1584	cmd.exe	40
PID 1584 wrote to memory of 2692	1584	cmd.exe	40
PID 1584 wrote to memory of 2692	1584	cmd.exe	40
PID 1584 wrote to memory of 2784	1584	cmd.exe	41
PID 1584 wrote to memory of 2784	1584	cmd.exe	41
PID 1584 wrote to memory of 2784	1584	cmd.exe	41
PID 1584 wrote to memory of 2940	1584	cmd.exe	42
PID 1584 wrote to memory of 2940	1584	cmd.exe	42
PID 1584 wrote to memory of 2940	1584	cmd.exe	42

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HWID Spoofer\Cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1792
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2808
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2692
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:2784
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads