5a23e31df8a552f29c44e23a37e19616080d46c75eb2d7db462eb01441106742

General

Target

Oneclick-V6.7.bat
Size

201KB
Sample

240621-p4pdmathqr
MD5

ea994c0d4dcdf963b7b7bf5cf54a26ae
SHA1

f16c3d7d5f2fd868d9385b601dc411605ba95342
SHA256

5a23e31df8a552f29c44e23a37e19616080d46c75eb2d7db462eb01441106742
SHA512

0a065d62966e08d34dc00973d5955b918f0d588f2f03361099b7b21a5696f8da4a07cc5bd8ad2e1b2153ff3372c95d3d6a19a0d8d61aacd4607a6608adb298da
SSDEEP

1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/WaZSiDk2IWOmXmomk:9nnHgv3h4KmXmomk

Score

10^/10

Malware Config

Targets

- Target
  
  Oneclick-V6.7.bat
- Size
  
  201KB
- MD5
  
  ea994c0d4dcdf963b7b7bf5cf54a26ae
- SHA1
  
  f16c3d7d5f2fd868d9385b601dc411605ba95342
- SHA256
  
  5a23e31df8a552f29c44e23a37e19616080d46c75eb2d7db462eb01441106742
- SHA512
  
  0a065d62966e08d34dc00973d5955b918f0d588f2f03361099b7b21a5696f8da4a07cc5bd8ad2e1b2153ff3372c95d3d6a19a0d8d61aacd4607a6608adb298da
- SSDEEP
  
  1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/WaZSiDk2IWOmXmomk:9nnHgv3h4KmXmomk
Score

10^/10

defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan
- Disables service(s)
  evasion execution
- Modifies security service
  evasion
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion execution
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix

Tasks

static1

Score

1^/10

behavioral1

defense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationransomwaretrojan

Score

10^/10

Resubmissions

Sharing

General

Malware Config

Targets

Disables service(s)

Modifies security service

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies boot configuration data using bcdedit

Boot or Logon Autostart Execution: Active Setup

Command and Scripting Interpreter: PowerShell

Possible privilege escalation attempt

Stops running service(s)

Event Triggered Execution: Component Object Model Hijacking

Modifies file permissions

Adds Run key to start application

Enumerates connected drives

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Power Settings

Drops file in System32 directory

MITRE ATT&CK Matrix

Tasks

static1

behavioral1