5a23e31df8a552f29c44e23a37e19616080d46c75eb2d7db462eb01441106742

Resubmissions

21-06-2024 12:53

240621-p4pdmathqr 10

21-06-2024 12:49

240621-p2vgvstgrr 4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V6.7.bat
Size

201KB
MD5

ea994c0d4dcdf963b7b7bf5cf54a26ae
SHA1

f16c3d7d5f2fd868d9385b601dc411605ba95342
SHA256

5a23e31df8a552f29c44e23a37e19616080d46c75eb2d7db462eb01441106742
SHA512

0a065d62966e08d34dc00973d5955b918f0d588f2f03361099b7b21a5696f8da4a07cc5bd8ad2e1b2153ff3372c95d3d6a19a0d8d61aacd4607a6608adb298da
SSDEEP

1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/WaZSiDk2IWOmXmomk:9nnHgv3h4KmXmomk

Score

4^/10

execution

Malware Config

Signatures

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2064 sc.exe
2176 sc.exe
2976 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2520 powershell.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2972 timeout.exe
2616 timeout.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2520 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2520 powershell.exe

pid	process
2064	sc.exe
2176	sc.exe
2976	sc.exe

pid	process
2520	powershell.exe

pid	process
2972	timeout.exe
2616	timeout.exe

pid	process
2520	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2520	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 2932 wrote to memory of 1796	2932	cmd.exe	fltMC.exe
PID 2932 wrote to memory of 1796	2932	cmd.exe	fltMC.exe
PID 2932 wrote to memory of 1796	2932	cmd.exe	fltMC.exe
PID 2932 wrote to memory of 2064	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2064	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2064	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2100	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2100	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2100	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 316	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 316	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 316	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2176	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2176	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2176	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2084	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2084	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2084	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2824	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2824	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2824	2932	cmd.exe	find.exe
PID 2932 wrote to memory of 2976	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2976	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2976	2932	cmd.exe	sc.exe
PID 2932 wrote to memory of 2692	2932	cmd.exe	net.exe
PID 2932 wrote to memory of 2692	2932	cmd.exe	net.exe
PID 2932 wrote to memory of 2692	2932	cmd.exe	net.exe
PID 2692 wrote to memory of 2604	2692	net.exe	net1.exe
PID 2692 wrote to memory of 2604	2692	net.exe	net1.exe
PID 2692 wrote to memory of 2604	2692	net.exe	net1.exe
PID 2932 wrote to memory of 2972	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 2972	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 2972	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 3036	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 3036	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 3036	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 2616	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 2616	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 2616	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 2660	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 2660	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 2660	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 2836	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 2836	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 2836	2932	cmd.exe	chcp.com
PID 2932 wrote to memory of 2520	2932	cmd.exe	powershell.exe
PID 2932 wrote to memory of 2520	2932	cmd.exe	powershell.exe
PID 2932 wrote to memory of 2520	2932	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\fltMC.exe
fltmc
2⤵
PID:1796

C:\Windows\system32\sc.exe
sc query "WinDefend"
2⤵
- Launches sc.exe
PID:2064

C:\Windows\system32\find.exe
find "STATE"
2⤵
PID:2100

C:\Windows\system32\find.exe
find "RUNNING"
2⤵
PID:316

C:\Windows\system32\sc.exe
sc qc "TrustedInstaller"
2⤵
- Launches sc.exe
PID:2176

C:\Windows\system32\find.exe
find "START_TYPE"
2⤵
PID:2084

C:\Windows\system32\find.exe
find "DISABLED"
2⤵
PID:2824

C:\Windows\system32\sc.exe
sc config TrustedInstaller start=auto
2⤵
- Launches sc.exe
PID:2976

C:\Windows\system32\net.exe
net start TrustedInstaller
2⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TrustedInstaller
3⤵
PID:2604

C:\Windows\system32\timeout.exe
timeout 1
2⤵
- Delays execution with timeout.exe
PID:2972

C:\Windows\system32\chcp.com
chcp 65001
2⤵
PID:3036

C:\Windows\system32\timeout.exe
timeout 2
2⤵
- Delays execution with timeout.exe
PID:2616

C:\Windows\system32\chcp.com
chcp 65001
2⤵
PID:2660

C:\Windows\system32\chcp.com
chcp 437
2⤵
PID:2836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2532

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2520-4-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2520-5-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download