Overview

overview

10

Static

static

1

(Full Pack....7.bat

windows7-x64

4

(Full Pack....7.bat

windows10-2004-x64

6

(Full Pack...V3.bat

windows7-x64

10

(Full Pack...V3.bat

windows10-2004-x64

10

(Full Pack...V2.bat

windows7-x64

1

(Full Pack...V2.bat

windows10-2004-x64

8

(Full Pack....1.bat

windows7-x64

10

(Full Pack....1.bat

windows10-2004-x64

10

(Full Pack...fi.bat

windows7-x64

1

(Full Pack...fi.bat

windows10-2004-x64

1

(Full Pack...ol.bat

windows7-x64

1

(Full Pack...ol.bat

windows10-2004-x64

1

(Full Pack...er.bat

windows7-x64

10

(Full Pack...er.bat

windows10-2004-x64

10

(Full Pack...ry.bat

windows7-x64

3

(Full Pack...ry.bat

windows10-2004-x64

3

(Full Pack...ix.bat

windows7-x64

8

(Full Pack...ix.bat

windows10-2004-x64

8

(Full Pack...er.bat

windows7-x64

3

(Full Pack...er.bat

windows10-2004-x64

8

(Full Pack...up.exe

windows7-x64

6

(Full Pack...up.exe

windows10-2004-x64

6

(Full Pack...er.ps1

windows7-x64

3

(Full Pack...er.ps1

windows10-2004-x64

8

(Full Pack...ad.url

windows7-x64

1

(Full Pack...ad.url

windows10-2004-x64

1

(Full Pack...nt.lnk

windows7-x64

3

(Full Pack...nt.lnk

windows10-2004-x64

7

(Full Pack...re.lnk

windows7-x64

3

(Full Pack...re.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    110s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    (Full Package) One Click OPT Ver - 6.7/1- One Click OPT/1- Oneclick V6.7 (Ultimate Performance)/Oneclick V6.7.bat

  • Size

    202KB

  • MD5

    4acd7d1e7294d4ab4e9db8977d5135e4

  • SHA1

    07c5474fcd09ff5843df3f776d665dcf0eef4284

  • SHA256

    b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

  • SHA512

    d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36

  • SSDEEP

    1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk

Score
6/10
execution

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\system32\fltMC.exe
      fltmc
      2⤵
        PID:5056
      • C:\Windows\system32\sc.exe
        sc query "WinDefend"
        2⤵
        • Launches sc.exe
        PID:364
      • C:\Windows\system32\find.exe
        find "STATE"
        2⤵
          PID:2648
        • C:\Windows\system32\find.exe
          find "RUNNING"
          2⤵
            PID:1216
          • C:\Windows\system32\sc.exe
            sc qc "TrustedInstaller"
            2⤵
            • Launches sc.exe
            PID:4852
          • C:\Windows\system32\find.exe
            find "START_TYPE"
            2⤵
              PID:880
            • C:\Windows\system32\find.exe
              find "DISABLED"
              2⤵
                PID:1844
              • C:\Windows\system32\sc.exe
                sc config TrustedInstaller start=auto
                2⤵
                • Launches sc.exe
                PID:1484
              • C:\Windows\system32\net.exe
                net start TrustedInstaller
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2480
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 start TrustedInstaller
                  3⤵
                    PID:4040
                • C:\Windows\system32\curl.exe
                  curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
                  2⤵
                    PID:856
                  • C:\Windows\system32\timeout.exe
                    timeout 1
                    2⤵
                    • Delays execution with timeout.exe
                    PID:2800
                  • C:\Windows\system32\tar.exe
                    tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
                    2⤵
                      PID:3040
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      2⤵
                        PID:3492
                      • C:\Windows\system32\timeout.exe
                        timeout 2
                        2⤵
                        • Delays execution with timeout.exe
                        PID:3960
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        2⤵
                          PID:3376
                        • C:\Windows\system32\chcp.com
                          chcp 437
                          2⤵
                            PID:232
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
                            2⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3088

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Oneclick Tools.zip
                          Filesize

                          564KB

                          MD5

                          d2be90c23063c07c5bf6e02c9400ac35

                          SHA1

                          c2ca99de035c17ba9b7912c26725efffe290b1db

                          SHA256

                          9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3

                          SHA512

                          13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvl1g2dg.hn0.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • memory/3088-7-0x0000016AD39C0000-0x0000016AD39E2000-memory.dmp

                          Filesize

                          136KB

                          Download