bde9aa21edb27047da788869a13e5f81f6fc8beca594f07fb70236dca1a1f139

Resubmissions

20/01/2025, 15:14

250120-smhfjavqhx 10

20/01/2025, 15:13

250120-sl6rqsvqgs 10

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

temp/temp/temp/temp/cleaners/Midnight.bat
Size

104KB
MD5

98c35392bddb76264b1004a0dbf67236
SHA1

2a32cd70da5f7a7fd43952d066f705538e980191
SHA256

5a21145b429b84651b8b30506382c7643e631bc917de152d70cf6aa8fdfb15b8
SHA512

532b6a175755d340f8f5424dadbbd1ee0dac1680979e2365000024a63d226869c12384600597276217b73be7664fe6735da96fd6fb9dc1bd8fa6a5208c219202
SSDEEP

768:l/KZzmezl/svUsfg8gVhCBL1oPY8xC01n5xpoL8oPlRPOpL5LvLpLjLgzJu/:Fg8gU61nvplxL5LvLpLjLw6

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2084	sc.exe

Kills process with taskkill 19 IoCs

defense_evasion

pid	Process
1840	taskkill.exe
1360	taskkill.exe
2672	taskkill.exe
2824	taskkill.exe
2816	taskkill.exe
3056	taskkill.exe
2608	taskkill.exe
3020	taskkill.exe
596	taskkill.exe
2452	taskkill.exe
2212	taskkill.exe
2532	taskkill.exe
3004	taskkill.exe
1644	taskkill.exe
2800	taskkill.exe
2752	taskkill.exe
2788	taskkill.exe
1492	taskkill.exe
1000	taskkill.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2452	2080	cmd.exe	32
PID 2080 wrote to memory of 2452	2080	cmd.exe	32
PID 2080 wrote to memory of 2452	2080	cmd.exe	32
PID 2080 wrote to memory of 2672	2080	cmd.exe	34
PID 2080 wrote to memory of 2672	2080	cmd.exe	34
PID 2080 wrote to memory of 2672	2080	cmd.exe	34
PID 2080 wrote to memory of 2752	2080	cmd.exe	35
PID 2080 wrote to memory of 2752	2080	cmd.exe	35
PID 2080 wrote to memory of 2752	2080	cmd.exe	35
PID 2080 wrote to memory of 2824	2080	cmd.exe	36
PID 2080 wrote to memory of 2824	2080	cmd.exe	36
PID 2080 wrote to memory of 2824	2080	cmd.exe	36
PID 2080 wrote to memory of 2816	2080	cmd.exe	37
PID 2080 wrote to memory of 2816	2080	cmd.exe	37
PID 2080 wrote to memory of 2816	2080	cmd.exe	37
PID 2080 wrote to memory of 2788	2080	cmd.exe	38
PID 2080 wrote to memory of 2788	2080	cmd.exe	38
PID 2080 wrote to memory of 2788	2080	cmd.exe	38
PID 2080 wrote to memory of 2212	2080	cmd.exe	39
PID 2080 wrote to memory of 2212	2080	cmd.exe	39
PID 2080 wrote to memory of 2212	2080	cmd.exe	39
PID 2080 wrote to memory of 3056	2080	cmd.exe	40
PID 2080 wrote to memory of 3056	2080	cmd.exe	40
PID 2080 wrote to memory of 3056	2080	cmd.exe	40
PID 2080 wrote to memory of 1492	2080	cmd.exe	41
PID 2080 wrote to memory of 1492	2080	cmd.exe	41
PID 2080 wrote to memory of 1492	2080	cmd.exe	41
PID 2080 wrote to memory of 2532	2080	cmd.exe	42
PID 2080 wrote to memory of 2532	2080	cmd.exe	42
PID 2080 wrote to memory of 2532	2080	cmd.exe	42
PID 2080 wrote to memory of 2608	2080	cmd.exe	43
PID 2080 wrote to memory of 2608	2080	cmd.exe	43
PID 2080 wrote to memory of 2608	2080	cmd.exe	43
PID 2080 wrote to memory of 3004	2080	cmd.exe	44
PID 2080 wrote to memory of 3004	2080	cmd.exe	44
PID 2080 wrote to memory of 3004	2080	cmd.exe	44
PID 2080 wrote to memory of 3020	2080	cmd.exe	45
PID 2080 wrote to memory of 3020	2080	cmd.exe	45
PID 2080 wrote to memory of 3020	2080	cmd.exe	45
PID 2080 wrote to memory of 1000	2080	cmd.exe	46
PID 2080 wrote to memory of 1000	2080	cmd.exe	46
PID 2080 wrote to memory of 1000	2080	cmd.exe	46
PID 2080 wrote to memory of 1644	2080	cmd.exe	47
PID 2080 wrote to memory of 1644	2080	cmd.exe	47
PID 2080 wrote to memory of 1644	2080	cmd.exe	47
PID 2080 wrote to memory of 1840	2080	cmd.exe	48
PID 2080 wrote to memory of 1840	2080	cmd.exe	48
PID 2080 wrote to memory of 1840	2080	cmd.exe	48
PID 2080 wrote to memory of 2800	2080	cmd.exe	49
PID 2080 wrote to memory of 2800	2080	cmd.exe	49
PID 2080 wrote to memory of 2800	2080	cmd.exe	49
PID 2080 wrote to memory of 596	2080	cmd.exe	50
PID 2080 wrote to memory of 596	2080	cmd.exe	50
PID 2080 wrote to memory of 596	2080	cmd.exe	50
PID 2080 wrote to memory of 1360	2080	cmd.exe	51
PID 2080 wrote to memory of 1360	2080	cmd.exe	51
PID 2080 wrote to memory of 1360	2080	cmd.exe	51
PID 2080 wrote to memory of 2084	2080	cmd.exe	52
PID 2080 wrote to memory of 2084	2080	cmd.exe	52
PID 2080 wrote to memory of 2084	2080	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\cleaners\Midnight.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Agent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Client.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Windows 7 deprecation

Loading Replay Monitor...