General

  • Target

    Oneclick-V6.7.bat

  • Size

    202KB

  • Sample

    241129-kc94ss1jgj

  • MD5

    4acd7d1e7294d4ab4e9db8977d5135e4

  • SHA1

    07c5474fcd09ff5843df3f776d665dcf0eef4284

  • SHA256

    b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

  • SHA512

    d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36

  • SSDEEP

    1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk

Malware Config

Targets

    • Target

      Oneclick-V6.7.bat

    • Size

      202KB

    • MD5

      4acd7d1e7294d4ab4e9db8977d5135e4

    • SHA1

      07c5474fcd09ff5843df3f776d665dcf0eef4284

    • SHA256

      b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

    • SHA512

      d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36

    • SSDEEP

      1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk

    • Disables service(s)

    • Modifies security service

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Modifies boot configuration data using bcdedit

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Possible privilege escalation attempt

    • Stops running service(s)

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Modifies file permissions

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks