d5b857f4972fea91c9d476905d4fb6f80de89df311da0dce83adfbef4d32d1b3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Toruney_Cleaner.exe
Size

135KB
MD5

03c9069653a814dd3a0d69d1431145eb
SHA1

d57ca643bfb63dc9df696054ff12770132a81038
SHA256

d5b857f4972fea91c9d476905d4fb6f80de89df311da0dce83adfbef4d32d1b3
SHA512

b7958fa0c0d2953ed4062f2e241f982377b4b0f990a179da9bf328a39e0a00b79ee76a537cd42482d2d782e33e36f390c85585d88fe16b882e67c4c9edd366cf
SSDEEP

768:EcLW2SN3ItwfkDG7FIMXVGBzn5v1QLKeJunPxrU+lP/X3Zwkin9Sbh9Sb:LLWDN4qfkDo8z5tMGP9U+BBBuC

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64	Toruney_Cleaner.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4868	cmd.exe
3060	cmd.exe
1364	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	reg.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
3416	taskkill.exe
3880	taskkill.exe
1052	taskkill.exe
1012	taskkill.exe
3192	taskkill.exe

Modifies registry key 1 TTPs 13 IoCs

Modify Registry

T1112

pid	Process
3264	reg.exe
1140	reg.exe
812	reg.exe
1124	reg.exe
4608	reg.exe
784	reg.exe
5012	reg.exe
540	reg.exe
3776	reg.exe
2008	reg.exe
676	reg.exe
1532	reg.exe
840	reg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 4136	1584	Toruney_Cleaner.exe	91
PID 1584 wrote to memory of 4136	1584	Toruney_Cleaner.exe	91
PID 1584 wrote to memory of 424	1584	Toruney_Cleaner.exe	92
PID 1584 wrote to memory of 424	1584	Toruney_Cleaner.exe	92
PID 1584 wrote to memory of 2804	1584	Toruney_Cleaner.exe	93
PID 1584 wrote to memory of 2804	1584	Toruney_Cleaner.exe	93
PID 1584 wrote to memory of 4868	1584	Toruney_Cleaner.exe	94
PID 1584 wrote to memory of 4868	1584	Toruney_Cleaner.exe	94
PID 4868 wrote to memory of 3416	4868	cmd.exe	95
PID 4868 wrote to memory of 3416	4868	cmd.exe	95
PID 1584 wrote to memory of 3060	1584	Toruney_Cleaner.exe	96
PID 1584 wrote to memory of 3060	1584	Toruney_Cleaner.exe	96
PID 3060 wrote to memory of 3880	3060	cmd.exe	97
PID 3060 wrote to memory of 3880	3060	cmd.exe	97
PID 1584 wrote to memory of 1364	1584	Toruney_Cleaner.exe	98
PID 1584 wrote to memory of 1364	1584	Toruney_Cleaner.exe	98
PID 1364 wrote to memory of 1052	1364	cmd.exe	99
PID 1364 wrote to memory of 1052	1364	cmd.exe	99
PID 1584 wrote to memory of 2704	1584	Toruney_Cleaner.exe	100
PID 1584 wrote to memory of 2704	1584	Toruney_Cleaner.exe	100
PID 2704 wrote to memory of 1012	2704	cmd.exe	101
PID 2704 wrote to memory of 1012	2704	cmd.exe	101
PID 1584 wrote to memory of 2552	1584	Toruney_Cleaner.exe	102
PID 1584 wrote to memory of 2552	1584	Toruney_Cleaner.exe	102
PID 2552 wrote to memory of 3192	2552	cmd.exe	103
PID 2552 wrote to memory of 3192	2552	cmd.exe	103
PID 1584 wrote to memory of 3648	1584	Toruney_Cleaner.exe	104
PID 1584 wrote to memory of 3648	1584	Toruney_Cleaner.exe	104
PID 3648 wrote to memory of 1080	3648	cmd.exe	105
PID 3648 wrote to memory of 1080	3648	cmd.exe	105
PID 1584 wrote to memory of 4400	1584	Toruney_Cleaner.exe	106
PID 1584 wrote to memory of 4400	1584	Toruney_Cleaner.exe	106
PID 4400 wrote to memory of 2028	4400	cmd.exe	107
PID 4400 wrote to memory of 2028	4400	cmd.exe	107
PID 1584 wrote to memory of 4216	1584	Toruney_Cleaner.exe	108
PID 1584 wrote to memory of 4216	1584	Toruney_Cleaner.exe	108
PID 4216 wrote to memory of 3788	4216	cmd.exe	109
PID 4216 wrote to memory of 3788	4216	cmd.exe	109
PID 1584 wrote to memory of 3124	1584	Toruney_Cleaner.exe	110
PID 1584 wrote to memory of 3124	1584	Toruney_Cleaner.exe	110
PID 3124 wrote to memory of 516	3124	cmd.exe	111
PID 3124 wrote to memory of 516	3124	cmd.exe	111
PID 1584 wrote to memory of 1600	1584	Toruney_Cleaner.exe	112
PID 1584 wrote to memory of 1600	1584	Toruney_Cleaner.exe	112
PID 1600 wrote to memory of 3176	1600	cmd.exe	113
PID 1600 wrote to memory of 3176	1600	cmd.exe	113
PID 1584 wrote to memory of 4088	1584	Toruney_Cleaner.exe	114
PID 1584 wrote to memory of 4088	1584	Toruney_Cleaner.exe	114
PID 4088 wrote to memory of 2516	4088	cmd.exe	115
PID 4088 wrote to memory of 2516	4088	cmd.exe	115
PID 1584 wrote to memory of 4208	1584	Toruney_Cleaner.exe	116
PID 1584 wrote to memory of 4208	1584	Toruney_Cleaner.exe	116
PID 4208 wrote to memory of 3212	4208	cmd.exe	117
PID 4208 wrote to memory of 3212	4208	cmd.exe	117
PID 1584 wrote to memory of 4808	1584	Toruney_Cleaner.exe	118
PID 1584 wrote to memory of 4808	1584	Toruney_Cleaner.exe	118
PID 4808 wrote to memory of 3196	4808	cmd.exe	119
PID 4808 wrote to memory of 3196	4808	cmd.exe	119
PID 1584 wrote to memory of 3172	1584	Toruney_Cleaner.exe	120
PID 1584 wrote to memory of 3172	1584	Toruney_Cleaner.exe	120
PID 3172 wrote to memory of 784	3172	cmd.exe	121
PID 3172 wrote to memory of 784	3172	cmd.exe	121
PID 1584 wrote to memory of 3372	1584	Toruney_Cleaner.exe	122
PID 1584 wrote to memory of 3372	1584	Toruney_Cleaner.exe	122

C:\Users\Admin\AppData\Local\Temp\Toruney_Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Toruney_Cleaner.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @shift /0
  2⤵
  PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @shift /0
  2⤵
  PID:424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
    3⤵
    - Enumerates system info in registry
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
    3⤵
    - Enumerates system info in registry
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
    3⤵
    - Enumerates system info in registry
    PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
    3⤵
    - Enumerates system info in registry
    PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
    3⤵
    - Enumerates system info in registry
    PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    - Checks processor information in registry
    PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Norc%random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Norc7423 /f
    3⤵
    - Modifies registry key
    PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Norc%random% /f
  2⤵
  PID:3372
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Norc7423 /f
    3⤵
    - Modifies registry key
    PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be%random%} /f
  2⤵
  PID:1408
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be7423} /f
    3⤵
    - Modifies registry key
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware\Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee%random%-%random%-%random%-%random%} /f
  2⤵
  PID:1504
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware\Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee7423-29607-8929-27342} /f
    3⤵
    - Modifies registry key
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware\Profiles\0001 /v GUID /t REG_SZ /d {fefefe%random%-%random%-%random%-%random%} /f
  2⤵
  PID:384
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware\Profiles\0001 /v GUID /t REG_SZ /d {fefefe7423-29607-8929-27342} /f
    3⤵
    - Modifies registry key
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v BuildGUID /t REG_SZ /d Norc%random% /f
  2⤵
  PID:2816
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v BuildGUID /t REG_SZ /d Norc7427 /f
    3⤵
    - Modifies registry key
    PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d Norc%random% /f
  2⤵
  PID:2344
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d Norc7427 /f
    3⤵
    - Modifies registry key
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d Norc%random% /f
  2⤵
  PID:3220
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d Norc7427 /f
    3⤵
    - Modifies registry key
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d Norc%random%-%random%-%random%-%random% /f
  2⤵
  PID:3268
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d Norc7427-7588-26793-18638 /f
    3⤵
    - Modifies registry key
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d hello%random%-%random%-%random%-%random% /f
  2⤵
  PID:4352
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d hello7427-7588-26793-18638 /f
    3⤵
    - Modifies registry key
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
  2⤵
  PID:1376
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v ProductId /t REG_SZ /d 7427-7588-26793-18638 /f
    3⤵
    - Modifies registry key
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
  2⤵
  PID:4960
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v InstallDate /t REG_SZ /d 7427 /f
    3⤵
    - Modifies registry key
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd%random%-%random%-%random%-%random%} /f
  2⤵
  PID:4292
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd7427-7588-26793-18638} /f
    3⤵
    - Modifies registry key
    PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads