3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
97s
max time network
142s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/3- OrcaLIte V2/OrcaLiteV2.bat
Size

6KB
MD5

b983f8044304ab741b792a87e4808c77
SHA1

180cd6dea7b9fa5ad58ca51793e7e2be669dbc97
SHA256

321748d1d6d36bd20590738f4ec25db4f3535789083bd56b069657426f775d8b
SHA512

337649a5db34fb3e4a99588ff671a052894e358a9b8bb5204964de98b43c53096904336e538939a497f9eb0851f0c20cc9e620754f72e6a6472cc922172e6f04
SSDEEP

192:BM/KbVcy9CzCPhkt010zIuGMwramjnZ4IB5S0b0h1hzo7gthoEOTjm/M0ECsYOy7:B66Vcy9CzCPhktsSIuG4c41hzGGs7g

Score

8^/10

defense_evasion discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
324	takeown.exe
1696	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
324	takeown.exe
1696	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
2896	timeout.exe
2956	timeout.exe
1948	timeout.exe
1084	timeout.exe
3352	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	324	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 2628	3084	cmd.exe	81
PID 3084 wrote to memory of 2628	3084	cmd.exe	81
PID 3084 wrote to memory of 2896	3084	cmd.exe	82
PID 3084 wrote to memory of 2896	3084	cmd.exe	82
PID 3084 wrote to memory of 252	3084	cmd.exe	83
PID 3084 wrote to memory of 252	3084	cmd.exe	83
PID 3084 wrote to memory of 2040	3084	cmd.exe	84
PID 3084 wrote to memory of 2040	3084	cmd.exe	84
PID 3084 wrote to memory of 2500	3084	cmd.exe	85
PID 3084 wrote to memory of 2500	3084	cmd.exe	85
PID 3084 wrote to memory of 4340	3084	cmd.exe	86
PID 3084 wrote to memory of 4340	3084	cmd.exe	86
PID 3084 wrote to memory of 3012	3084	cmd.exe	87
PID 3084 wrote to memory of 3012	3084	cmd.exe	87
PID 3084 wrote to memory of 644	3084	cmd.exe	88
PID 3084 wrote to memory of 644	3084	cmd.exe	88
PID 3084 wrote to memory of 1168	3084	cmd.exe	89
PID 3084 wrote to memory of 1168	3084	cmd.exe	89
PID 3084 wrote to memory of 1280	3084	cmd.exe	90
PID 3084 wrote to memory of 1280	3084	cmd.exe	90
PID 3084 wrote to memory of 5036	3084	cmd.exe	91
PID 3084 wrote to memory of 5036	3084	cmd.exe	91
PID 3084 wrote to memory of 4044	3084	cmd.exe	92
PID 3084 wrote to memory of 4044	3084	cmd.exe	92
PID 3084 wrote to memory of 1088	3084	cmd.exe	93
PID 3084 wrote to memory of 1088	3084	cmd.exe	93
PID 3084 wrote to memory of 2668	3084	cmd.exe	94
PID 3084 wrote to memory of 2668	3084	cmd.exe	94
PID 3084 wrote to memory of 2864	3084	cmd.exe	95
PID 3084 wrote to memory of 2864	3084	cmd.exe	95
PID 3084 wrote to memory of 1516	3084	cmd.exe	96
PID 3084 wrote to memory of 1516	3084	cmd.exe	96
PID 3084 wrote to memory of 2068	3084	cmd.exe	97
PID 3084 wrote to memory of 2068	3084	cmd.exe	97
PID 3084 wrote to memory of 2532	3084	cmd.exe	98
PID 3084 wrote to memory of 2532	3084	cmd.exe	98
PID 3084 wrote to memory of 1000	3084	cmd.exe	99
PID 3084 wrote to memory of 1000	3084	cmd.exe	99
PID 3084 wrote to memory of 1740	3084	cmd.exe	100
PID 3084 wrote to memory of 1740	3084	cmd.exe	100
PID 3084 wrote to memory of 2956	3084	cmd.exe	101
PID 3084 wrote to memory of 2956	3084	cmd.exe	101
PID 3084 wrote to memory of 4924	3084	cmd.exe	106
PID 3084 wrote to memory of 4924	3084	cmd.exe	106
PID 3084 wrote to memory of 556	3084	cmd.exe	107
PID 3084 wrote to memory of 556	3084	cmd.exe	107
PID 3084 wrote to memory of 3268	3084	cmd.exe	108
PID 3084 wrote to memory of 3268	3084	cmd.exe	108
PID 3084 wrote to memory of 4712	3084	cmd.exe	109
PID 3084 wrote to memory of 4712	3084	cmd.exe	109
PID 3084 wrote to memory of 3508	3084	cmd.exe	110
PID 3084 wrote to memory of 3508	3084	cmd.exe	110
PID 3084 wrote to memory of 2116	3084	cmd.exe	111
PID 3084 wrote to memory of 2116	3084	cmd.exe	111
PID 3084 wrote to memory of 692	3084	cmd.exe	112
PID 3084 wrote to memory of 692	3084	cmd.exe	112
PID 3084 wrote to memory of 2308	3084	cmd.exe	113
PID 3084 wrote to memory of 2308	3084	cmd.exe	113
PID 3084 wrote to memory of 3456	3084	cmd.exe	114
PID 3084 wrote to memory of 3456	3084	cmd.exe	114
PID 3084 wrote to memory of 4492	3084	cmd.exe	115
PID 3084 wrote to memory of 4492	3084	cmd.exe	115
PID 3084 wrote to memory of 2332	3084	cmd.exe	116
PID 3084 wrote to memory of 2332	3084	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\3- OrcaLIte V2\OrcaLiteV2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2628
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2896
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable
  2⤵
  PID:252
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable
  2⤵
  PID:2040
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "OneDrive Reporting Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:2500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "OneDrive Standalone Update Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:4340
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "update-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:3012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "update-sys" /Disable
  2⤵
  PID:644
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UNP\RunUpdateNotificationMgr" /Disable
  2⤵
  PID:1168
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /Disable
  2⤵
  PID:1280
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:5036
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:4044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /Disable
  2⤵
  PID:1088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /Disable
  2⤵
  PID:2668
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /Disable
  2⤵
  PID:2864
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:1516
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /Disable
  2⤵
  PID:2068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /Disable
  2⤵
  PID:2532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:1000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /Disable
  2⤵
  PID:1740
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2956
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "MicrosoftEdgeUpdateTaskMachineUA" /F
  2⤵
  PID:4924
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore" /F
  2⤵
  PID:556
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "OneDrive Reporting Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:3268
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "OneDrive Standalone Update Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:4712
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "update-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:3508
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "update-sys" /F
  2⤵
  PID:2116
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UNP\RunUpdateNotificationMgr" /F
  2⤵
  PID:692
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /F
  2⤵
  PID:2308
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /F
  2⤵
  PID:3456
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /F
  2⤵
  PID:4492
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /F
  2⤵
  PID:2332
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /F
  2⤵
  PID:1688
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /F
  2⤵
  PID:5088
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /F
  2⤵
  PID:2924
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /F
  2⤵
  PID:8
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /F
  2⤵
  PID:2636
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /F
  2⤵
  PID:3000
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /F
  2⤵
  PID:3660
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1948
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\UsoClient.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1696
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1084
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads