f578d77e5264494fd9cf4b740953b12b348745c43cc256cc5339c6a91413f909

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lcb spoofer_updated_quack/cleaners/leakedshit/clean2.bat
Size

260KB
MD5

049fce145abfed6afa90599762b08c6b
SHA1

563036667eb0a743c138f9f245cabfffe07c424e
SHA256

97377c7ae3ff41e72dac718a4dd82cdd079ff50e026ce159d3435e6edb8bc543
SHA512

e610806fbbf5365370538a1055637b5bf3ae9ae09f8779c1289b7800a9472f4f95db051c15c21af45bb70bfb99d2ef59846814ad36d8ecb6cd31c73e7dc443bb
SSDEEP

1536:gWNoZxBOz2ouKKCWZr3PwUWg28361L5LvLpLjL5Azf4oH9Yzf4gH9c:gbKKCWCUWg284oH9Q4gH9c

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2648	cmd.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
528	sc.exe
2728	sc.exe
2924	sc.exe
776	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

sc.exesc.exe

pid	Process
2924	sc.exe
528	sc.exe

Kills process with taskkill 15 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
648	taskkill.exe
2152	taskkill.exe
2564	taskkill.exe
560	taskkill.exe
2740	taskkill.exe
2712	taskkill.exe
2840	taskkill.exe
2976	taskkill.exe
2120	taskkill.exe
2144	taskkill.exe
2596	taskkill.exe
2980	taskkill.exe
2080	taskkill.exe
3040	taskkill.exe
2680	taskkill.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2648 wrote to memory of 2792	2648	cmd.exe	32
PID 2648 wrote to memory of 2792	2648	cmd.exe	32
PID 2648 wrote to memory of 2792	2648	cmd.exe	32
PID 2648 wrote to memory of 3040	2648	cmd.exe	33
PID 2648 wrote to memory of 3040	2648	cmd.exe	33
PID 2648 wrote to memory of 3040	2648	cmd.exe	33
PID 2648 wrote to memory of 2840	2648	cmd.exe	35
PID 2648 wrote to memory of 2840	2648	cmd.exe	35
PID 2648 wrote to memory of 2840	2648	cmd.exe	35
PID 2648 wrote to memory of 2976	2648	cmd.exe	36
PID 2648 wrote to memory of 2976	2648	cmd.exe	36
PID 2648 wrote to memory of 2976	2648	cmd.exe	36
PID 2648 wrote to memory of 2680	2648	cmd.exe	37
PID 2648 wrote to memory of 2680	2648	cmd.exe	37
PID 2648 wrote to memory of 2680	2648	cmd.exe	37
PID 2648 wrote to memory of 2740	2648	cmd.exe	38
PID 2648 wrote to memory of 2740	2648	cmd.exe	38
PID 2648 wrote to memory of 2740	2648	cmd.exe	38
PID 2648 wrote to memory of 2564	2648	cmd.exe	39
PID 2648 wrote to memory of 2564	2648	cmd.exe	39
PID 2648 wrote to memory of 2564	2648	cmd.exe	39
PID 2648 wrote to memory of 2712	2648	cmd.exe	40
PID 2648 wrote to memory of 2712	2648	cmd.exe	40
PID 2648 wrote to memory of 2712	2648	cmd.exe	40
PID 2648 wrote to memory of 2596	2648	cmd.exe	41
PID 2648 wrote to memory of 2596	2648	cmd.exe	41
PID 2648 wrote to memory of 2596	2648	cmd.exe	41
PID 2648 wrote to memory of 560	2648	cmd.exe	42
PID 2648 wrote to memory of 560	2648	cmd.exe	42
PID 2648 wrote to memory of 560	2648	cmd.exe	42
PID 2648 wrote to memory of 648	2648	cmd.exe	43
PID 2648 wrote to memory of 648	2648	cmd.exe	43
PID 2648 wrote to memory of 648	2648	cmd.exe	43
PID 2648 wrote to memory of 2980	2648	cmd.exe	44
PID 2648 wrote to memory of 2980	2648	cmd.exe	44
PID 2648 wrote to memory of 2980	2648	cmd.exe	44
PID 2648 wrote to memory of 2152	2648	cmd.exe	45
PID 2648 wrote to memory of 2152	2648	cmd.exe	45
PID 2648 wrote to memory of 2152	2648	cmd.exe	45
PID 2648 wrote to memory of 2120	2648	cmd.exe	46
PID 2648 wrote to memory of 2120	2648	cmd.exe	46
PID 2648 wrote to memory of 2120	2648	cmd.exe	46
PID 2648 wrote to memory of 2080	2648	cmd.exe	47
PID 2648 wrote to memory of 2080	2648	cmd.exe	47
PID 2648 wrote to memory of 2080	2648	cmd.exe	47
PID 2648 wrote to memory of 2144	2648	cmd.exe	48
PID 2648 wrote to memory of 2144	2648	cmd.exe	48
PID 2648 wrote to memory of 2144	2648	cmd.exe	48
PID 2648 wrote to memory of 776	2648	cmd.exe	49
PID 2648 wrote to memory of 776	2648	cmd.exe	49
PID 2648 wrote to memory of 776	2648	cmd.exe	49
PID 2648 wrote to memory of 528	2648	cmd.exe	50
PID 2648 wrote to memory of 528	2648	cmd.exe	50
PID 2648 wrote to memory of 528	2648	cmd.exe	50
PID 2648 wrote to memory of 2728	2648	cmd.exe	51
PID 2648 wrote to memory of 2728	2648	cmd.exe	51
PID 2648 wrote to memory of 2728	2648	cmd.exe	51
PID 2648 wrote to memory of 2924	2648	cmd.exe	52
PID 2648 wrote to memory of 2924	2648	cmd.exe	52
PID 2648 wrote to memory of 2924	2648	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\lcb spoofer_updated_quack\cleaners\leakedshit\clean2.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2792
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OneDrive.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\system32\taskkill.exe
  taskkill /f /im PerfWatson2.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\system32\taskkill.exe
  taskkill /f /im vgtray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:776
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_EAC
  2⤵
  - Launches sc.exe
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:528
- C:\Windows\system32\sc.exe
  Sc stop BattleEye
  2⤵
  - Launches sc.exe
  PID:2728
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_BE
  2⤵
  - Launches sc.exe
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2924