Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/07/2024, 23:12
240707-26tgkstaqe 10Analysis
-
max time kernel
1368s -
max time network
1167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 23:12
Static task
static1
Behavioral task
behavioral1
Sample
Oneclick-V6.7.bat
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Oneclick-V6.7.bat
Resource
win10v2004-20240704-en
General
-
Target
Oneclick-V6.7.bat
-
Size
202KB
-
MD5
4acd7d1e7294d4ab4e9db8977d5135e4
-
SHA1
07c5474fcd09ff5843df3f776d665dcf0eef4284
-
SHA256
b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
-
SHA512
d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
-
SSDEEP
1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 raw.githubusercontent.com 20 raw.githubusercontent.com -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 316 sc.exe 4368 sc.exe 3052 sc.exe -
pid Process 4732 powershell.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1780 timeout.exe 2932 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4732 powershell.exe 4732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4732 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2852 2228 cmd.exe 83 PID 2228 wrote to memory of 2852 2228 cmd.exe 83 PID 2228 wrote to memory of 316 2228 cmd.exe 85 PID 2228 wrote to memory of 316 2228 cmd.exe 85 PID 2228 wrote to memory of 1888 2228 cmd.exe 86 PID 2228 wrote to memory of 1888 2228 cmd.exe 86 PID 2228 wrote to memory of 640 2228 cmd.exe 87 PID 2228 wrote to memory of 640 2228 cmd.exe 87 PID 2228 wrote to memory of 4368 2228 cmd.exe 88 PID 2228 wrote to memory of 4368 2228 cmd.exe 88 PID 2228 wrote to memory of 4648 2228 cmd.exe 89 PID 2228 wrote to memory of 4648 2228 cmd.exe 89 PID 2228 wrote to memory of 4724 2228 cmd.exe 90 PID 2228 wrote to memory of 4724 2228 cmd.exe 90 PID 2228 wrote to memory of 3052 2228 cmd.exe 91 PID 2228 wrote to memory of 3052 2228 cmd.exe 91 PID 2228 wrote to memory of 2888 2228 cmd.exe 92 PID 2228 wrote to memory of 2888 2228 cmd.exe 92 PID 2888 wrote to memory of 3960 2888 net.exe 94 PID 2888 wrote to memory of 3960 2888 net.exe 94 PID 2228 wrote to memory of 5104 2228 cmd.exe 97 PID 2228 wrote to memory of 5104 2228 cmd.exe 97 PID 2228 wrote to memory of 1780 2228 cmd.exe 98 PID 2228 wrote to memory of 1780 2228 cmd.exe 98 PID 2228 wrote to memory of 3036 2228 cmd.exe 99 PID 2228 wrote to memory of 3036 2228 cmd.exe 99 PID 2228 wrote to memory of 3632 2228 cmd.exe 100 PID 2228 wrote to memory of 3632 2228 cmd.exe 100 PID 2228 wrote to memory of 2932 2228 cmd.exe 101 PID 2228 wrote to memory of 2932 2228 cmd.exe 101 PID 2228 wrote to memory of 3116 2228 cmd.exe 102 PID 2228 wrote to memory of 3116 2228 cmd.exe 102 PID 2228 wrote to memory of 4104 2228 cmd.exe 103 PID 2228 wrote to memory of 4104 2228 cmd.exe 103 PID 2228 wrote to memory of 4732 2228 cmd.exe 104 PID 2228 wrote to memory of 4732 2228 cmd.exe 104
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:2852
-
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵
- Launches sc.exe
PID:316
-
-
C:\Windows\system32\find.exefind "STATE"2⤵PID:1888
-
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:640
-
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵
- Launches sc.exe
PID:4368
-
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:4648
-
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:4724
-
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=auto2⤵
- Launches sc.exe
PID:3052
-
-
C:\Windows\system32\net.exenet start TrustedInstaller2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TrustedInstaller3⤵PID:3960
-
-
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"2⤵PID:5104
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1780
-
-
C:\Windows\system32\tar.exetar -xf "C:\\Oneclick Tools.zip" --strip-components=12⤵PID:3036
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:3632
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:2932
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:3116
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:4104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
564KB
MD5d2be90c23063c07c5bf6e02c9400ac35
SHA1c2ca99de035c17ba9b7912c26725efffe290b1db
SHA2569422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA51213935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82