bde9aa21edb27047da788869a13e5f81f6fc8beca594f07fb70236dca1a1f139

Resubmissions

20-01-2025 15:14

250120-smhfjavqhx 10

20-01-2025 15:13

250120-sl6rqsvqgs 10

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

temp/temp/temp/temp/cleaners/Midnight.bat
Size

104KB
MD5

98c35392bddb76264b1004a0dbf67236
SHA1

2a32cd70da5f7a7fd43952d066f705538e980191
SHA256

5a21145b429b84651b8b30506382c7643e631bc917de152d70cf6aa8fdfb15b8
SHA512

532b6a175755d340f8f5424dadbbd1ee0dac1680979e2365000024a63d226869c12384600597276217b73be7664fe6735da96fd6fb9dc1bd8fa6a5208c219202
SSDEEP

768:l/KZzmezl/svUsfg8gVhCBL1oPY8xC01n5xpoL8oPlRPOpL5LvLpLjLgzJu/:Fg8gU61nvplxL5LvLpLjLw6

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1800	sc.exe

Kills process with taskkill 19 IoCs

defense_evasion

pid	Process
2944	taskkill.exe
1420	taskkill.exe
764	taskkill.exe
3244	taskkill.exe
840	taskkill.exe
2848	taskkill.exe
660	taskkill.exe
4388	taskkill.exe
2088	taskkill.exe
2316	taskkill.exe
532	taskkill.exe
2140	taskkill.exe
1380	taskkill.exe
3068	taskkill.exe
4912	taskkill.exe
1988	taskkill.exe
2964	taskkill.exe
2788	taskkill.exe
1552	taskkill.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 532	4108	cmd.exe	84
PID 4108 wrote to memory of 532	4108	cmd.exe	84
PID 4108 wrote to memory of 2944	4108	cmd.exe	86
PID 4108 wrote to memory of 2944	4108	cmd.exe	86
PID 4108 wrote to memory of 1420	4108	cmd.exe	87
PID 4108 wrote to memory of 1420	4108	cmd.exe	87
PID 4108 wrote to memory of 840	4108	cmd.exe	88
PID 4108 wrote to memory of 840	4108	cmd.exe	88
PID 4108 wrote to memory of 764	4108	cmd.exe	89
PID 4108 wrote to memory of 764	4108	cmd.exe	89
PID 4108 wrote to memory of 2848	4108	cmd.exe	90
PID 4108 wrote to memory of 2848	4108	cmd.exe	90
PID 4108 wrote to memory of 660	4108	cmd.exe	91
PID 4108 wrote to memory of 660	4108	cmd.exe	91
PID 4108 wrote to memory of 3244	4108	cmd.exe	92
PID 4108 wrote to memory of 3244	4108	cmd.exe	92
PID 4108 wrote to memory of 2140	4108	cmd.exe	93
PID 4108 wrote to memory of 2140	4108	cmd.exe	93
PID 4108 wrote to memory of 4388	4108	cmd.exe	94
PID 4108 wrote to memory of 4388	4108	cmd.exe	94
PID 4108 wrote to memory of 1380	4108	cmd.exe	95
PID 4108 wrote to memory of 1380	4108	cmd.exe	95
PID 4108 wrote to memory of 3068	4108	cmd.exe	96
PID 4108 wrote to memory of 3068	4108	cmd.exe	96
PID 4108 wrote to memory of 4912	4108	cmd.exe	97
PID 4108 wrote to memory of 4912	4108	cmd.exe	97
PID 4108 wrote to memory of 2088	4108	cmd.exe	98
PID 4108 wrote to memory of 2088	4108	cmd.exe	98
PID 4108 wrote to memory of 2316	4108	cmd.exe	99
PID 4108 wrote to memory of 2316	4108	cmd.exe	99
PID 4108 wrote to memory of 2964	4108	cmd.exe	100
PID 4108 wrote to memory of 2964	4108	cmd.exe	100
PID 4108 wrote to memory of 2788	4108	cmd.exe	101
PID 4108 wrote to memory of 2788	4108	cmd.exe	101
PID 4108 wrote to memory of 1988	4108	cmd.exe	102
PID 4108 wrote to memory of 1988	4108	cmd.exe	102
PID 4108 wrote to memory of 1552	4108	cmd.exe	103
PID 4108 wrote to memory of 1552	4108	cmd.exe	103
PID 4108 wrote to memory of 1800	4108	cmd.exe	104
PID 4108 wrote to memory of 1800	4108	cmd.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\cleaners\Midnight.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Agent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Client.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads