Overview
overview
10Static
static
1(Full Pack....7.bat
windows7-x64
4(Full Pack....7.bat
windows10-2004-x64
6(Full Pack...V3.bat
windows7-x64
10(Full Pack...V3.bat
windows10-2004-x64
10(Full Pack...V2.bat
windows7-x64
1(Full Pack...V2.bat
windows10-2004-x64
8(Full Pack....1.bat
windows7-x64
10(Full Pack....1.bat
windows10-2004-x64
10(Full Pack...fi.bat
windows7-x64
1(Full Pack...fi.bat
windows10-2004-x64
1(Full Pack...ol.bat
windows7-x64
1(Full Pack...ol.bat
windows10-2004-x64
1(Full Pack...er.bat
windows7-x64
10(Full Pack...er.bat
windows10-2004-x64
10(Full Pack...ry.bat
windows7-x64
3(Full Pack...ry.bat
windows10-2004-x64
3(Full Pack...ix.bat
windows7-x64
8(Full Pack...ix.bat
windows10-2004-x64
8(Full Pack...er.bat
windows7-x64
3(Full Pack...er.bat
windows10-2004-x64
8(Full Pack...up.exe
windows7-x64
6(Full Pack...up.exe
windows10-2004-x64
6(Full Pack...er.ps1
windows7-x64
3(Full Pack...er.ps1
windows10-2004-x64
8(Full Pack...ad.url
windows7-x64
1(Full Pack...ad.url
windows10-2004-x64
1(Full Pack...nt.lnk
windows7-x64
3(Full Pack...nt.lnk
windows10-2004-x64
7(Full Pack...re.lnk
windows7-x64
3(Full Pack...re.lnk
windows10-2004-x64
7Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 06:26
Static task
static1
Behavioral task
behavioral1
Sample
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/1- Oneclick V6.7 (Ultimate Performance)/Oneclick V6.7.bat
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/1- Oneclick V6.7 (Ultimate Performance)/Oneclick V6.7.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/2- Orca V3/Orca V3.bat
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/2- Orca V3/Orca V3.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/3- OrcaLIte V2/OrcaLiteV2.bat
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/3- OrcaLIte V2/OrcaLiteV2.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/4 - Process Destroyer V2.1/Process Destroyer 2.1.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/4 - Process Destroyer V2.1/Process Destroyer 2.1.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/1- Wifi & Bluetooth Fixer/1- Turn On Wifi.bat
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/1- Wifi & Bluetooth Fixer/1- Turn On Wifi.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/1- Wifi & Bluetooth Fixer/2- Windows Service Control.bat
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/1- Wifi & Bluetooth Fixer/2- Windows Service Control.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/2- Xbox Help/1- Xbox Service Enabler.bat
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/2- Xbox Help/1- Xbox Service Enabler.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/3- Clipboard & Snipping Tool Fix/2- Enable Clipboard History.bat
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/3- Clipboard & Snipping Tool Fix/2- Enable Clipboard History.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/4- Windows Security/2- Cmd Fix.bat
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/4- Windows Security/2- Cmd Fix.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
(Full Package) One Click OPT Ver - 6.7/3- Browser/CTT App Installer.bat
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
(Full Package) One Click OPT Ver - 6.7/3- Browser/CTT App Installer.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
(Full Package) One Click OPT Ver - 6.7/3- Browser/ChromeSetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
(Full Package) One Click OPT Ver - 6.7/3- Browser/ChromeSetup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
(Full Package) One Click OPT Ver - 6.7/3- Browser/Powershell Chrome Installer.ps1
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
(Full Package) One Click OPT Ver - 6.7/3- Browser/Powershell Chrome Installer.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
(Full Package) One Click OPT Ver - 6.7/4- Nsudo/Nsudo Download.url
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
(Full Package) One Click OPT Ver - 6.7/4- Nsudo/Nsudo Download.url
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
(Full Package) One Click OPT Ver - 6.7/Defragment.lnk
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
(Full Package) One Click OPT Ver - 6.7/Defragment.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
(Full Package) One Click OPT Ver - 6.7/System Restore.lnk
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
(Full Package) One Click OPT Ver - 6.7/System Restore.lnk
Resource
win10v2004-20241007-en
General
-
Target
(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/1- Oneclick V6.7 (Ultimate Performance)/Oneclick V6.7.bat
-
Size
202KB
-
MD5
4acd7d1e7294d4ab4e9db8977d5135e4
-
SHA1
07c5474fcd09ff5843df3f776d665dcf0eef4284
-
SHA256
b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
-
SHA512
d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
-
SSDEEP
1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk
Malware Config
Signatures
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2264 sc.exe 2696 sc.exe 2756 sc.exe -
pid Process 2684 powershell.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2692 timeout.exe 2680 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2684 powershell.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2932 wrote to memory of 1880 2932 cmd.exe 32 PID 2932 wrote to memory of 1880 2932 cmd.exe 32 PID 2932 wrote to memory of 1880 2932 cmd.exe 32 PID 2932 wrote to memory of 2264 2932 cmd.exe 33 PID 2932 wrote to memory of 2264 2932 cmd.exe 33 PID 2932 wrote to memory of 2264 2932 cmd.exe 33 PID 2932 wrote to memory of 2272 2932 cmd.exe 34 PID 2932 wrote to memory of 2272 2932 cmd.exe 34 PID 2932 wrote to memory of 2272 2932 cmd.exe 34 PID 2932 wrote to memory of 2688 2932 cmd.exe 35 PID 2932 wrote to memory of 2688 2932 cmd.exe 35 PID 2932 wrote to memory of 2688 2932 cmd.exe 35 PID 2932 wrote to memory of 2696 2932 cmd.exe 36 PID 2932 wrote to memory of 2696 2932 cmd.exe 36 PID 2932 wrote to memory of 2696 2932 cmd.exe 36 PID 2932 wrote to memory of 2752 2932 cmd.exe 37 PID 2932 wrote to memory of 2752 2932 cmd.exe 37 PID 2932 wrote to memory of 2752 2932 cmd.exe 37 PID 2932 wrote to memory of 2776 2932 cmd.exe 38 PID 2932 wrote to memory of 2776 2932 cmd.exe 38 PID 2932 wrote to memory of 2776 2932 cmd.exe 38 PID 2932 wrote to memory of 2756 2932 cmd.exe 39 PID 2932 wrote to memory of 2756 2932 cmd.exe 39 PID 2932 wrote to memory of 2756 2932 cmd.exe 39 PID 2932 wrote to memory of 2956 2932 cmd.exe 40 PID 2932 wrote to memory of 2956 2932 cmd.exe 40 PID 2932 wrote to memory of 2956 2932 cmd.exe 40 PID 2956 wrote to memory of 2700 2956 net.exe 41 PID 2956 wrote to memory of 2700 2956 net.exe 41 PID 2956 wrote to memory of 2700 2956 net.exe 41 PID 2932 wrote to memory of 2692 2932 cmd.exe 42 PID 2932 wrote to memory of 2692 2932 cmd.exe 42 PID 2932 wrote to memory of 2692 2932 cmd.exe 42 PID 2932 wrote to memory of 2948 2932 cmd.exe 43 PID 2932 wrote to memory of 2948 2932 cmd.exe 43 PID 2932 wrote to memory of 2948 2932 cmd.exe 43 PID 2932 wrote to memory of 2680 2932 cmd.exe 44 PID 2932 wrote to memory of 2680 2932 cmd.exe 44 PID 2932 wrote to memory of 2680 2932 cmd.exe 44 PID 2932 wrote to memory of 2572 2932 cmd.exe 45 PID 2932 wrote to memory of 2572 2932 cmd.exe 45 PID 2932 wrote to memory of 2572 2932 cmd.exe 45 PID 2932 wrote to memory of 3064 2932 cmd.exe 46 PID 2932 wrote to memory of 3064 2932 cmd.exe 46 PID 2932 wrote to memory of 3064 2932 cmd.exe 46 PID 2932 wrote to memory of 2684 2932 cmd.exe 47 PID 2932 wrote to memory of 2684 2932 cmd.exe 47 PID 2932 wrote to memory of 2684 2932 cmd.exe 47
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:1880
-
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵
- Launches sc.exe
PID:2264
-
-
C:\Windows\system32\find.exefind "STATE"2⤵PID:2272
-
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:2688
-
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵
- Launches sc.exe
PID:2696
-
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:2752
-
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:2776
-
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=auto2⤵
- Launches sc.exe
PID:2756
-
-
C:\Windows\system32\net.exenet start TrustedInstaller2⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TrustedInstaller3⤵PID:2700
-
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2692
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2948
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:2680
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2572
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-