General
-
Target
Full-Package-OneClick-V6.7.zip
-
Size
1.3MB
-
Sample
241130-g5lecs1mhn
-
MD5
d8dc00ed1b4565dc180ceacd4b44ced3
-
SHA1
623cd693f170780c1859bc6d9f8c693e8d1b5cfa
-
SHA256
3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21
-
SHA512
b77d52184a9b40fab368e4e67179c5fc71825a3895dc665ded380dc1c5a44d7da12be97c5637ef2c35e8ae73cd1354a7a40e54947c5aa5dbdba1c76820c51a83
-
SSDEEP
24576:7Vop8eTs5bNuKI01xVIjf7fySbYRgikjmqjrU74en00tO9Jkq7Yylia9QlpNJS:7VO4NDIiqfOSMRgt3G4en0SXqga9gS
Malware Config
Targets
-
-
Target
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/1- Oneclick V6.7 (Ultimate Performance)/Oneclick V6.7.bat
-
Size
202KB
-
MD5
4acd7d1e7294d4ab4e9db8977d5135e4
-
SHA1
07c5474fcd09ff5843df3f776d665dcf0eef4284
-
SHA256
b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
-
SHA512
d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
-
SSDEEP
1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk
Score10/10-
Disables service(s)
-
Modifies security service
-
Modifies visibility of file extensions in Explorer
-
UAC bypass
-
Modifies boot configuration data using bcdedit
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Stops running service(s)
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Modifies file permissions
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/2- Orca V3/Orca V3.bat
-
Size
35KB
-
MD5
2f1c0a6e88c644e1fe7f7208e0029b14
-
SHA1
fd11c4fcb106f51db0f94091e2f46b1bd142609b
-
SHA256
f7e541ae25adf370120698c1d55f77d15c42209378b09b996a12e8a6bf90a996
-
SHA512
236cbb90131e654f33dca660ba7532ac59e22ce58edaeaa15cfc50c66d738e6ac5b847be11986655ef8c168a1c27c5e4dc01972d7d3a990d3650a16ccab5a2d2
-
SSDEEP
384:U66Vcy9CzCPhjszIuG4cD1hzGbs7dffqLzVHPAFwH2V09PsB7olKElQKac+iD3MF:Z6Vcy9CzCPhaigxWFoKElQKac+iDDTDO
Score10/10-
Disables service(s)
-
Modifies security service
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Modifies file permissions
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/3- OrcaLIte V2/OrcaLiteV2.bat
-
Size
6KB
-
MD5
b983f8044304ab741b792a87e4808c77
-
SHA1
180cd6dea7b9fa5ad58ca51793e7e2be669dbc97
-
SHA256
321748d1d6d36bd20590738f4ec25db4f3535789083bd56b069657426f775d8b
-
SHA512
337649a5db34fb3e4a99588ff671a052894e358a9b8bb5204964de98b43c53096904336e538939a497f9eb0851f0c20cc9e620754f72e6a6472cc922172e6f04
-
SSDEEP
192:BM/KbVcy9CzCPhkt010zIuGMwramjnZ4IB5S0b0h1hzo7gthoEOTjm/M0ECsYOy7:B66Vcy9CzCPhktsSIuG4c41hzGGs7g
Score8/10-
Possible privilege escalation attempt
-
Modifies file permissions
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/4 - Process Destroyer V2.1/Process Destroyer 2.1.bat
-
Size
3KB
-
MD5
07eb39b2e136e2b6346ef8d4d20465a1
-
SHA1
1396dc3772079e611a2cf738b6f67c65f3743704
-
SHA256
1eec0e628ad9eaeab06c2174c5f526e5ec305e948371507cd1aaaf56e7246cce
-
SHA512
092372ec030b7962d438123ee0a125dd0eeb2744ede249b6153c29a9f8b1c9c57be19eff64dd8f862d4d2063a2c268acda3cb6bb412481561f3636bf74dd4d67
Score10/10-
Modifies security service
-
Modifies Security services
Modifies the startup behavior of a security service.
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/1- Wifi & Bluetooth Fixer/1- Turn On Wifi.bat
-
Size
4KB
-
MD5
c4e59358e2c650ffaef0331bfa763327
-
SHA1
33f4691f5b1bd03f84d7a9b3ab083e69e67a9bf9
-
SHA256
d49127188ddaf54b8f65939f57360a1868ff43e2396d3389deb9bcf88ce6b97d
-
SHA512
c03bd2d1f1c25660d8c477a98391080e0f6313339d4b3c7beae5f43413c0d879e313c7aa5aa587c13dbdd0eb0b976d341b7ffdaf6997ce842c704740da098fa5
-
SSDEEP
96:lKRVnVdVfv1yHVjPOhtEtsRv45T70fmgWsMrQqFYfy+nK5M7Wlt8bCptOeTu6:lKRVVv1JhtEtAv45T70QPAy+nK5M7Wl9
Score1/10 -
-
-
Target
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/1- Wifi & Bluetooth Fixer/2- Windows Service Control.bat
-
Size
58KB
-
MD5
dcb17ecd18c94f67c09dbf7875ae5229
-
SHA1
8e73e077fa78fbdcece3bf0c89201aa045679df3
-
SHA256
171f9d3035daccfdf760d9b74982db6854cf7c20448608ee21b458b3ad7dc0c3
-
SHA512
b445b1b2a5821151e99bb5d2539e6041589d71e11b6282d914e67f3cefe11cc5094fced5e2937dc30a575c52baa8b6c9aa826f6df5d3653c0af4ad0068d0386a
-
SSDEEP
768:kuNOT9RFMsusWWuD/du+ElQKac+iDtu61NkJPnVPleKuauJuYuTuiu7utuYuBw:R
Score1/10 -
-
-
Target
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/2- Xbox Help/1- Xbox Service Enabler.bat
-
Size
15KB
-
MD5
053934c8f93b3ff714e1451f8d10c642
-
SHA1
16896e746055d5fa96730e7d6a637de170ff4ead
-
SHA256
3d9dce519843a1c5690504fb44f8043fa9eb2a3bdb1b4879352866fc0c12387c
-
SHA512
6d05cc4e160b0e96b29b6e5b65bd8eaa62b67540a7583b130b7698b15d4c60b67489aa8daa7b07c6adbb76fa19e0a1bf2dfc880d0499289f2761f3e585cb1337
-
SSDEEP
192:Yh4ZSsimg0gAP5L2e1NkJPnVPletM2TJQ2MqJMr2198Li5981:9iDYLD1NkJPnVPle82MqJMr2198Li59C
Score10/10-
Modifies security service
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/3- Clipboard & Snipping Tool Fix/2- Enable Clipboard History.bat
-
Size
658B
-
MD5
05ab20a0f46d02a30d241fbe2d5224c9
-
SHA1
f06ccb783e812f7ba51dad79905dca6ca243fe05
-
SHA256
1984647476deb995118a4dbb8fa69ebf3919d6de1e91b267ec443d4724c4df07
-
SHA512
0c3de19fb60a433ede196635a7a1b2243191ae0752c052eb45292ffab5b3aba90fa4994f65acf634006edac3b0af737f1b0baac12a0183335336f18d3cd91871
Score3/10 -
-
-
Target
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/4- Windows Security/2- Cmd Fix.bat
-
Size
637B
-
MD5
b0c27ff6cfbdee082d4246d46f11b175
-
SHA1
91765f41142667d4db295a677551ac0ac4139ac3
-
SHA256
10edbde0c15470a44d8bc38a46c9dbb2b5ecfc0383a7366a084c1dfee92b2053
-
SHA512
08c20a38746e1c0d4e26687732fda4bed60157aea8efd7c31eefd44d40695530f4a7593fa3ac3189b4246d2ade113136a357c6c5640d601c79817dac3ec41ebe
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Downloads MZ/PE file
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
System Binary Proxy Execution: wuauclt
Abuse Wuauclt to proxy execution of malicious code.
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/3- Browser/CTT App Installer.bat
-
Size
217B
-
MD5
f313871bfb1db4e19da3bfbefdd71207
-
SHA1
58f254ca81c95711bb974bb3848b4e8d6bd43f2e
-
SHA256
fcb93b077e0f42c7a5b297dd13f01e4ef1b0af9d08883f25e72c82e2ad794070
-
SHA512
2008928dad77835328b3f7f0d26441ad449b6ca8ccd394b9c001a778b2f0445b2fecdf537281317db3ce5348fd30b6f5dfba45fea740e2aa2852a7e825c03273
Score8/10-
Blocklisted process makes network request
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/3- Browser/ChromeSetup.exe
-
Size
1.3MB
-
MD5
6894d217d4162fa5e1d5b6ca7f759c9e
-
SHA1
f8914073394d565a1c40a5adfd6d554557f93dd4
-
SHA256
67dcabe4b912fe3bd88515323bb59829ebac495b54fc8fee6b92c885c733192d
-
SHA512
a0ab305db7ce2d4573e5aab16ed2bf84b8069e2e1518b213027eaec8c6e57d42001e7b808403cc1a6b2c138459e8bcb440aac9f5c12a5688921100628d53038c
-
SSDEEP
24576:PJvKJ4SrOlppYW0avlLWjD7fEYbYJm6KjOsBJy348D0MtkHF4eFgalMC/QnrtJQE:FKDWpP0OWDwYMJmh7a48D0qpeOC/sQE
Score6/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/3- Browser/Powershell Chrome Installer.txt
-
Size
313B
-
MD5
3bebc384e2431863e9e54481b3238f09
-
SHA1
9f2dc65ae513bdfc7a249e550256e78a65484b1d
-
SHA256
ed6038dd65e1d797cd257f51193494283fbc81047ff215494ecb85c516b0fd3c
-
SHA512
c57a19f7d081f2d599045cd5f40d310055ffaa53d6cbda62d0a0f25593b9b56d4d38566094f73fcdda88567cbe40e56de0580bfa90abcc8c00f0e13125ed6c94
Score8/10-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/4- Nsudo/Nsudo Download.url
-
Size
180B
-
MD5
92b39e3471f0df79235b2bb01fbf3bd3
-
SHA1
9a04cae82d624d31e09a6e10b2c3b50a16f4b4b7
-
SHA256
5a29853d8fd2ffba7d5e5519d727a86a713cdbbf4b95fab1e67197d0ffae40b1
-
SHA512
df7e48c93d489e14b54e0904e91a32d9b40165b1434cc84ac0e666cbe527285300e51112810c51e74c5af1929d408211713138e9242306d0cdfc37fb381022ab
Score1/10 -
-
-
Target
(Full Package) One Click OPT Ver - 6.7/Defragment.lnk
-
Size
2KB
-
MD5
6c641c68dc0ee3f1f976edf0ee45fb28
-
SHA1
4cf48563afa0f6eedbbe1f9858bc53f8e58a4667
-
SHA256
307c3aab509575221348e3ce86db6ffe829f26267748af662ee164815ea441ad
-
SHA512
38958301b98d82b0d26ef588e872a43fb3063df5e61a05a68e986d897caf474703dd65027c9e17635ac58a4790a1505f9d8681fa44ab332eb47c7f4f6577ccad
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
(Full Package) One Click OPT Ver - 6.7/System Restore.lnk
-
Size
2KB
-
MD5
f15467282144268c3414cbc2c98b999b
-
SHA1
918e3e4da82f52521016beca08a716752a288fc9
-
SHA256
a6c4e5b69e85efa86488b2cb0fc1bc339188bd2eff7ffa8bc427a9c13411f499
-
SHA512
76c7ead477bc73a5fb31d12b34f0db873d94df7cfbc7f68695662793430b36a1f4e70a2e56387ebf80a0d103c7a4b3daa684268ded4c3cf7191c605b1492a0ba
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
5Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
9Subvert Trust Controls
1SIP and Trust Provider Hijacking
1System Binary Proxy Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1