bde9aa21edb27047da788869a13e5f81f6fc8beca594f07fb70236dca1a1f139

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

temp/temp/temp/temp/cleaners/Midnight.bat
Size

104KB
MD5

98c35392bddb76264b1004a0dbf67236
SHA1

2a32cd70da5f7a7fd43952d066f705538e980191
SHA256

5a21145b429b84651b8b30506382c7643e631bc917de152d70cf6aa8fdfb15b8
SHA512

532b6a175755d340f8f5424dadbbd1ee0dac1680979e2365000024a63d226869c12384600597276217b73be7664fe6735da96fd6fb9dc1bd8fa6a5208c219202
SSDEEP

768:l/KZzmezl/svUsfg8gVhCBL1oPY8xC01n5xpoL8oPlRPOpL5LvLpLjLgzJu/:Fg8gU61nvplxL5LvLpLjLw6

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2748	sc.exe

Kills process with taskkill 19 IoCs

defense_evasion

pid	Process
1060	taskkill.exe
4064	taskkill.exe
5036	taskkill.exe
1740	taskkill.exe
1252	taskkill.exe
4480	taskkill.exe
3940	taskkill.exe
208	taskkill.exe
1736	taskkill.exe
2248	taskkill.exe
2272	taskkill.exe
4308	taskkill.exe
3376	taskkill.exe
5056	taskkill.exe
3024	taskkill.exe
4488	taskkill.exe
3408	taskkill.exe
4184	taskkill.exe
3872	taskkill.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 1736	3668	cmd.exe	84
PID 3668 wrote to memory of 1736	3668	cmd.exe	84
PID 3668 wrote to memory of 2248	3668	cmd.exe	86
PID 3668 wrote to memory of 2248	3668	cmd.exe	86
PID 3668 wrote to memory of 2272	3668	cmd.exe	87
PID 3668 wrote to memory of 2272	3668	cmd.exe	87
PID 3668 wrote to memory of 1740	3668	cmd.exe	88
PID 3668 wrote to memory of 1740	3668	cmd.exe	88
PID 3668 wrote to memory of 4184	3668	cmd.exe	89
PID 3668 wrote to memory of 4184	3668	cmd.exe	89
PID 3668 wrote to memory of 1252	3668	cmd.exe	90
PID 3668 wrote to memory of 1252	3668	cmd.exe	90
PID 3668 wrote to memory of 3872	3668	cmd.exe	91
PID 3668 wrote to memory of 3872	3668	cmd.exe	91
PID 3668 wrote to memory of 4480	3668	cmd.exe	92
PID 3668 wrote to memory of 4480	3668	cmd.exe	92
PID 3668 wrote to memory of 4064	3668	cmd.exe	93
PID 3668 wrote to memory of 4064	3668	cmd.exe	93
PID 3668 wrote to memory of 3376	3668	cmd.exe	94
PID 3668 wrote to memory of 3376	3668	cmd.exe	94
PID 3668 wrote to memory of 5036	3668	cmd.exe	95
PID 3668 wrote to memory of 5036	3668	cmd.exe	95
PID 3668 wrote to memory of 3940	3668	cmd.exe	96
PID 3668 wrote to memory of 3940	3668	cmd.exe	96
PID 3668 wrote to memory of 208	3668	cmd.exe	97
PID 3668 wrote to memory of 208	3668	cmd.exe	97
PID 3668 wrote to memory of 5056	3668	cmd.exe	98
PID 3668 wrote to memory of 5056	3668	cmd.exe	98
PID 3668 wrote to memory of 3024	3668	cmd.exe	99
PID 3668 wrote to memory of 3024	3668	cmd.exe	99
PID 3668 wrote to memory of 1060	3668	cmd.exe	100
PID 3668 wrote to memory of 1060	3668	cmd.exe	100
PID 3668 wrote to memory of 4488	3668	cmd.exe	101
PID 3668 wrote to memory of 4488	3668	cmd.exe	101
PID 3668 wrote to memory of 3408	3668	cmd.exe	102
PID 3668 wrote to memory of 3408	3668	cmd.exe	102
PID 3668 wrote to memory of 4308	3668	cmd.exe	103
PID 3668 wrote to memory of 4308	3668	cmd.exe	103
PID 3668 wrote to memory of 2748	3668	cmd.exe	104
PID 3668 wrote to memory of 2748	3668	cmd.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\cleaners\Midnight.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\system32\taskkill.exe
  taskkill /f /im epicgameslauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\system32\taskkill.exe
  taskkill /f /im FortniteLauncher.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BEServices.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Windows\system32\taskkill.exe
  taskkill /f /im BattleEye.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\system32\taskkill.exe
  taskkill /f /im smartscreen.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Agent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\system32\taskkill.exe
  taskkill /f /im Client.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\system32\sc.exe
  Sc stop EasyAntiCheat
  2⤵
  - Launches sc.exe
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads