f578d77e5264494fd9cf4b740953b12b348745c43cc256cc5339c6a91413f909

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lcb spoofer_updated_quack/cleaners/leakedshit/clean2.bat
Size

260KB
MD5

049fce145abfed6afa90599762b08c6b
SHA1

563036667eb0a743c138f9f245cabfffe07c424e
SHA256

97377c7ae3ff41e72dac718a4dd82cdd079ff50e026ce159d3435e6edb8bc543
SHA512

e610806fbbf5365370538a1055637b5bf3ae9ae09f8779c1289b7800a9472f4f95db051c15c21af45bb70bfb99d2ef59846814ad36d8ecb6cd31c73e7dc443bb
SSDEEP

1536:gWNoZxBOz2ouKKCWZr3PwUWg28361L5LvLpLjL5Azf4oH9Yzf4gH9c:gbKKCWCUWg284oH9Q4gH9c

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
1672	sc.exe
1904	sc.exe
4768	sc.exe
2584	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

sc.exesc.exe

pid	Process
2584	sc.exe
1904	sc.exe

Kills process with taskkill 15 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
2952	taskkill.exe
1996	taskkill.exe
3244	taskkill.exe
848	taskkill.exe
4748	taskkill.exe
2664	taskkill.exe
1688	taskkill.exe
4480	taskkill.exe
2740	taskkill.exe
1144	taskkill.exe
1400	taskkill.exe
3756	taskkill.exe
4968	taskkill.exe
1992	taskkill.exe
4864	taskkill.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 1600 wrote to memory of 4072	1600	cmd.exe	83
PID 1600 wrote to memory of 4072	1600	cmd.exe	83
PID 1600 wrote to memory of 3244	1600	cmd.exe	84
PID 1600 wrote to memory of 3244	1600	cmd.exe	84
PID 1600 wrote to memory of 4864	1600	cmd.exe	86
PID 1600 wrote to memory of 4864	1600	cmd.exe	86
PID 1600 wrote to memory of 848	1600	cmd.exe	87
PID 1600 wrote to memory of 848	1600	cmd.exe	87
PID 1600 wrote to memory of 3756	1600	cmd.exe	88
PID 1600 wrote to memory of 3756	1600	cmd.exe	88
PID 1600 wrote to memory of 4748	1600	cmd.exe	89
PID 1600 wrote to memory of 4748	1600	cmd.exe	89
PID 1600 wrote to memory of 2664	1600	cmd.exe	90
PID 1600 wrote to memory of 2664	1600	cmd.exe	90
PID 1600 wrote to memory of 2952	1600	cmd.exe	91
PID 1600 wrote to memory of 2952	1600	cmd.exe	91
PID 1600 wrote to memory of 1688	1600	cmd.exe	92
PID 1600 wrote to memory of 1688	1600	cmd.exe	92
PID 1600 wrote to memory of 4480	1600	cmd.exe	93
PID 1600 wrote to memory of 4480	1600	cmd.exe	93
PID 1600 wrote to memory of 1992	1600	cmd.exe	94
PID 1600 wrote to memory of 1992	1600	cmd.exe	94
PID 1600 wrote to memory of 1996	1600	cmd.exe	95
PID 1600 wrote to memory of 1996	1600	cmd.exe	95
PID 1600 wrote to memory of 2740	1600	cmd.exe	96
PID 1600 wrote to memory of 2740	1600	cmd.exe	96
PID 1600 wrote to memory of 1144	1600	cmd.exe	97
PID 1600 wrote to memory of 1144	1600	cmd.exe	97
PID 1600 wrote to memory of 1400	1600	cmd.exe	98
PID 1600 wrote to memory of 1400	1600	cmd.exe	98
PID 1600 wrote to memory of 4968	1600	cmd.exe	99
PID 1600 wrote to memory of 4968	1600	cmd.exe	99
PID 1600 wrote to memory of 1672	1600	cmd.exe	100
PID 1600 wrote to memory of 1672	1600	cmd.exe	100
PID 1600 wrote to memory of 1904	1600	cmd.exe	101
PID 1600 wrote to memory of 1904	1600	cmd.exe	101
PID 1600 wrote to memory of 4768	1600	cmd.exe	102
PID 1600 wrote to memory of 4768	1600	cmd.exe	102
PID 1600 wrote to memory of 2584	1600	cmd.exe	103
PID 1600 wrote to memory of 2584	1600	cmd.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lcb spoofer_updated_quack\cleaners\leakedshit\clean2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4072
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\system32\taskkill.exe
  taskkill /f /im OneDrive.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\system32\taskkill.exe
  taskkill /f /im UnrealCEFSubProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CEFProcess.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\system32\taskkill.exe
  taskkill /f /im PerfWatson2.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\system32\taskkill.exe
  taskkill /f /im vgtray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:1672
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_EAC
  2⤵
  - Launches sc.exe
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1904
- C:\Windows\system32\sc.exe
  Sc stop BattleEye
  2⤵
  - Launches sc.exe
  PID:4768
- C:\Windows\system32\sc.exe
  Sc stop FortniteClient-Win64-Shipping_BE
  2⤵
  - Launches sc.exe
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2584