bde9aa21edb27047da788869a13e5f81f6fc8beca594f07fb70236dca1a1f139

Resubmissions

20-01-2025 15:14

250120-smhfjavqhx 10

20-01-2025 15:13

250120-sl6rqsvqgs 10

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

temp/temp/temp/temp/cleaners/Midnight.bat
Size

104KB
MD5

98c35392bddb76264b1004a0dbf67236
SHA1

2a32cd70da5f7a7fd43952d066f705538e980191
SHA256

5a21145b429b84651b8b30506382c7643e631bc917de152d70cf6aa8fdfb15b8
SHA512

532b6a175755d340f8f5424dadbbd1ee0dac1680979e2365000024a63d226869c12384600597276217b73be7664fe6735da96fd6fb9dc1bd8fa6a5208c219202
SSDEEP

768:l/KZzmezl/svUsfg8gVhCBL1oPY8xC01n5xpoL8oPlRPOpL5LvLpLjLgzJu/:Fg8gU61nvplxL5LvLpLjLw6

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3736	sc.exe

Kills process with taskkill 19 IoCs

defense_evasion

pid	Process
2780	taskkill.exe
2884	taskkill.exe
2556	taskkill.exe
4272	taskkill.exe
3964	taskkill.exe
2352	taskkill.exe
2736	taskkill.exe
2652	taskkill.exe
4924	taskkill.exe
2620	taskkill.exe
1580	taskkill.exe
3844	taskkill.exe
60	taskkill.exe
448	taskkill.exe
4300	taskkill.exe
3636	taskkill.exe
5092	taskkill.exe
320	taskkill.exe
3144	taskkill.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	60	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2620	1840	cmd.exe	84
PID 1840 wrote to memory of 2620	1840	cmd.exe	84
PID 1840 wrote to memory of 5092	1840	cmd.exe	86
PID 1840 wrote to memory of 5092	1840	cmd.exe	86
PID 1840 wrote to memory of 2352	1840	cmd.exe	87
PID 1840 wrote to memory of 2352	1840	cmd.exe	87
PID 1840 wrote to memory of 320	1840	cmd.exe	88
PID 1840 wrote to memory of 320	1840	cmd.exe	88
PID 1840 wrote to memory of 3144	1840	cmd.exe	89
PID 1840 wrote to memory of 3144	1840	cmd.exe	89
PID 1840 wrote to memory of 2736	1840	cmd.exe	90
PID 1840 wrote to memory of 2736	1840	cmd.exe	90
PID 1840 wrote to memory of 1580	1840	cmd.exe	91
PID 1840 wrote to memory of 1580	1840	cmd.exe	91
PID 1840 wrote to memory of 2884	1840	cmd.exe	92
PID 1840 wrote to memory of 2884	1840	cmd.exe	92
PID 1840 wrote to memory of 60	1840	cmd.exe	93
PID 1840 wrote to memory of 60	1840	cmd.exe	93
PID 1840 wrote to memory of 2652	1840	cmd.exe	94
PID 1840 wrote to memory of 2652	1840	cmd.exe	94
PID 1840 wrote to memory of 448	1840	cmd.exe	95
PID 1840 wrote to memory of 448	1840	cmd.exe	95
PID 1840 wrote to memory of 4300	1840	cmd.exe	96
PID 1840 wrote to memory of 4300	1840	cmd.exe	96
PID 1840 wrote to memory of 2556	1840	cmd.exe	97
PID 1840 wrote to memory of 2556	1840	cmd.exe	97
PID 1840 wrote to memory of 4272	1840	cmd.exe	98
PID 1840 wrote to memory of 4272	1840	cmd.exe	98
PID 1840 wrote to memory of 2780	1840	cmd.exe	99
PID 1840 wrote to memory of 2780	1840	cmd.exe	99
PID 1840 wrote to memory of 3844	1840	cmd.exe	100
PID 1840 wrote to memory of 3844	1840	cmd.exe	100
PID 1840 wrote to memory of 3636	1840	cmd.exe	101
PID 1840 wrote to memory of 3636	1840	cmd.exe	101
PID 1840 wrote to memory of 3964	1840	cmd.exe	102
PID 1840 wrote to memory of 3964	1840	cmd.exe	102
PID 1840 wrote to memory of 4924	1840	cmd.exe	103
PID 1840 wrote to memory of 4924	1840	cmd.exe	103
PID 1840 wrote to memory of 3736	1840	cmd.exe	104
PID 1840 wrote to memory of 3736	1840	cmd.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\cleaners\Midnight.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Agent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Client.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads