Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 13:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
VixenCleaner.exe
Resource
win7-20240708-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
VixenCleaner.exe
Resource
win10v2004-20241007-en
16 signatures
150 seconds
General
-
Target
VixenCleaner.exe
-
Size
5.0MB
-
MD5
f896695ef615c4d5e09df4ccaa2984b5
-
SHA1
8f3517b2ecdf56d7372e7e89b35be6ee096f5292
-
SHA256
7ad75a6780417178b6026fe7f18a38dcb455e60d0f09391bbb9de6d9487c0526
-
SHA512
1aeb0b8f24354bce29df0855cd92456af1245f011918551ea383b2a9a1e0cd5add583b06fe541de771fd2507188e23446e022c0054187b20882e7c5393990516
-
SSDEEP
98304:Yxt16Pb/JC9apF5i6QzMffuhWMrd4wg4R6qVUlYL5jGTUp4c4gU:Yz8D/g9vzwfuo+2wz7VjGAp
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
VixenCleaner.exepid Process 2972 VixenCleaner.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 2736 taskkill.exe 2280 taskkill.exe 2492 taskkill.exe 1976 taskkill.exe 2052 taskkill.exe 2348 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
VixenCleaner.exepid Process 2972 VixenCleaner.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
VixenCleaner.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2972 wrote to memory of 2500 2972 VixenCleaner.exe 31 PID 2972 wrote to memory of 2500 2972 VixenCleaner.exe 31 PID 2972 wrote to memory of 2500 2972 VixenCleaner.exe 31 PID 2500 wrote to memory of 2492 2500 cmd.exe 32 PID 2500 wrote to memory of 2492 2500 cmd.exe 32 PID 2500 wrote to memory of 2492 2500 cmd.exe 32 PID 2972 wrote to memory of 2460 2972 VixenCleaner.exe 33 PID 2972 wrote to memory of 2460 2972 VixenCleaner.exe 33 PID 2972 wrote to memory of 2460 2972 VixenCleaner.exe 33 PID 2460 wrote to memory of 1976 2460 cmd.exe 34 PID 2460 wrote to memory of 1976 2460 cmd.exe 34 PID 2460 wrote to memory of 1976 2460 cmd.exe 34 PID 2972 wrote to memory of 1712 2972 VixenCleaner.exe 35 PID 2972 wrote to memory of 1712 2972 VixenCleaner.exe 35 PID 2972 wrote to memory of 1712 2972 VixenCleaner.exe 35 PID 1712 wrote to memory of 2052 1712 cmd.exe 36 PID 1712 wrote to memory of 2052 1712 cmd.exe 36 PID 1712 wrote to memory of 2052 1712 cmd.exe 36 PID 2972 wrote to memory of 2332 2972 VixenCleaner.exe 37 PID 2972 wrote to memory of 2332 2972 VixenCleaner.exe 37 PID 2972 wrote to memory of 2332 2972 VixenCleaner.exe 37 PID 2332 wrote to memory of 2348 2332 cmd.exe 38 PID 2332 wrote to memory of 2348 2332 cmd.exe 38 PID 2332 wrote to memory of 2348 2332 cmd.exe 38 PID 2972 wrote to memory of 1924 2972 VixenCleaner.exe 39 PID 2972 wrote to memory of 1924 2972 VixenCleaner.exe 39 PID 2972 wrote to memory of 1924 2972 VixenCleaner.exe 39 PID 1924 wrote to memory of 2736 1924 cmd.exe 40 PID 1924 wrote to memory of 2736 1924 cmd.exe 40 PID 1924 wrote to memory of 2736 1924 cmd.exe 40 PID 2972 wrote to memory of 2408 2972 VixenCleaner.exe 41 PID 2972 wrote to memory of 2408 2972 VixenCleaner.exe 41 PID 2972 wrote to memory of 2408 2972 VixenCleaner.exe 41 PID 2408 wrote to memory of 2280 2408 cmd.exe 42 PID 2408 wrote to memory of 2280 2408 cmd.exe 42 PID 2408 wrote to memory of 2280 2408 cmd.exe 42 PID 2972 wrote to memory of 2692 2972 VixenCleaner.exe 43 PID 2972 wrote to memory of 2692 2972 VixenCleaner.exe 43 PID 2972 wrote to memory of 2692 2972 VixenCleaner.exe 43 PID 2972 wrote to memory of 2700 2972 VixenCleaner.exe 44 PID 2972 wrote to memory of 2700 2972 VixenCleaner.exe 44 PID 2972 wrote to memory of 2700 2972 VixenCleaner.exe 44 PID 2972 wrote to memory of 2740 2972 VixenCleaner.exe 45 PID 2972 wrote to memory of 2740 2972 VixenCleaner.exe 45 PID 2972 wrote to memory of 2740 2972 VixenCleaner.exe 45 PID 2972 wrote to memory of 2752 2972 VixenCleaner.exe 46 PID 2972 wrote to memory of 2752 2972 VixenCleaner.exe 46 PID 2972 wrote to memory of 2752 2972 VixenCleaner.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f fortnite* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\taskkill.exetaskkill /im /f fortnite* /t3⤵
- Kills process with taskkill
PID:2492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f easyantiche* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\taskkill.exetaskkill /im /f easyantiche* /t3⤵
- Kills process with taskkill
PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f beservice* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\taskkill.exetaskkill /im /f beservice* /t3⤵
- Kills process with taskkill
PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f epicweb* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\taskkill.exetaskkill /im /f epicweb* /t3⤵
- Kills process with taskkill
PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f epicgames* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\taskkill.exetaskkill /im /f epicgames* /t3⤵
- Kills process with taskkill
PID:2736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f WmiPrv* /f /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\taskkill.exetaskkill /im /f WmiPrv* /f /t3⤵
- Kills process with taskkill
PID:2280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color b2⤵PID:2740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul2⤵PID:2752
-