Overview
overview
10Static
static
5Oneclick-main.zip
windows7-x64
1Oneclick-main.zip
windows10-2004-x64
1Oneclick-m...MD.bat
windows7-x64
1Oneclick-m...MD.bat
windows10-2004-x64
1OneclickTo...MD.bat
windows7-x64
1OneclickTo...MD.bat
windows10-2004-x64
1OneclickTo...at.exe
windows7-x64
8OneclickTo...at.exe
windows10-2004-x64
8OneclickTo...ol.exe
windows7-x64
10OneclickTo...ol.exe
windows10-2004-x64
5OneclickTo...LG.exe
windows7-x64
1OneclickTo...LG.exe
windows10-2004-x64
1OneclickTo...10.exe
windows7-x64
1OneclickTo...10.exe
windows10-2004-x64
1OneclickTo...ca.bat
windows7-x64
1OneclickTo...ca.bat
windows10-2004-x64
1OneclickTo...nd.bat
windows7-x64
4OneclickTo...nd.bat
windows10-2004-x64
4OneclickTo...on.exe
windows7-x64
1OneclickTo...on.exe
windows10-2004-x64
1Oneclick-m...me.xml
windows7-x64
3Oneclick-m...me.xml
windows10-2004-x64
1Oneclick-m...ca.bat
windows7-x64
1Oneclick-m...ca.bat
windows10-2004-x64
1Oneclick-m...nd.bat
windows7-x64
4Oneclick-m...nd.bat
windows10-2004-x64
4Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 18:57
Behavioral task
behavioral1
Sample
Oneclick-main.zip
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
Oneclick-main.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Oneclick-main/Downloads/AMD.bat
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral4
Sample
Oneclick-main/Downloads/AMD.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
OneclickTools/Amd/AMD.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
OneclickTools/Amd/AMD.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
OneclickTools/DPC Checker/dpclat.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
OneclickTools/DPC Checker/dpclat.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
OneclickTools/Dcontrol/dControl.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
OneclickTools/Dcontrol/dControl.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
OneclickTools/NSudo/NSudoLG.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
OneclickTools/NSudo/NSudoLG.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
OneclickTools/OOshutup10/OOSU10.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
OneclickTools/OOshutup10/OOSU10.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
OneclickTools/Orca/Orca.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
OneclickTools/Orca/Orca.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
OneclickTools/Sound/Sound.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
OneclickTools/Sound/Sound.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
OneclickTools/Timer Resolution/SetTimerResolution.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
OneclickTools/Timer Resolution/SetTimerResolution.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Oneclick-main/Downloads/OpenShellTheme.xml
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
Oneclick-main/Downloads/OpenShellTheme.xml
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Oneclick-main/Downloads/Orca.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
Oneclick-main/Downloads/Orca.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Oneclick-main/Downloads/Sound.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
Oneclick-main/Downloads/Sound.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Oneclick-main/Downloads/Sound.bat
-
Size
1KB
-
MD5
aa79a42a515c7013ee6d746bc2033af8
-
SHA1
f703e84f64c5d8061f2aea7f636e57576b5bb2c6
-
SHA256
9989b6443318155275d5e8011e6395f57a9723444f06c7de78ad1a07a8049c6e
-
SHA512
4bcf14e930fa090d0efbad5416ea48bcdb162ddef00baf9433186736a238c3e1ff28c1fc8447a4749af2413856dd597257dbed3f7b80340d1ff0a63144c90e43
Malware Config
Signatures
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2544 sc.exe 2820 sc.exe 2240 sc.exe -
Kills process with taskkill 5 IoCs
pid Process 2248 taskkill.exe 2932 taskkill.exe 2304 taskkill.exe 2864 taskkill.exe 2804 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2248 taskkill.exe Token: SeDebugPrivilege 2932 taskkill.exe Token: SeDebugPrivilege 2304 taskkill.exe Token: SeDebugPrivilege 2864 taskkill.exe Token: SeDebugPrivilege 2804 taskkill.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2248 3004 cmd.exe 31 PID 3004 wrote to memory of 2248 3004 cmd.exe 31 PID 3004 wrote to memory of 2248 3004 cmd.exe 31 PID 3004 wrote to memory of 1908 3004 cmd.exe 33 PID 3004 wrote to memory of 1908 3004 cmd.exe 33 PID 3004 wrote to memory of 1908 3004 cmd.exe 33 PID 1908 wrote to memory of 2948 1908 net.exe 34 PID 1908 wrote to memory of 2948 1908 net.exe 34 PID 1908 wrote to memory of 2948 1908 net.exe 34 PID 3004 wrote to memory of 2544 3004 cmd.exe 35 PID 3004 wrote to memory of 2544 3004 cmd.exe 35 PID 3004 wrote to memory of 2544 3004 cmd.exe 35 PID 3004 wrote to memory of 2932 3004 cmd.exe 36 PID 3004 wrote to memory of 2932 3004 cmd.exe 36 PID 3004 wrote to memory of 2932 3004 cmd.exe 36 PID 3004 wrote to memory of 2304 3004 cmd.exe 37 PID 3004 wrote to memory of 2304 3004 cmd.exe 37 PID 3004 wrote to memory of 2304 3004 cmd.exe 37 PID 3004 wrote to memory of 2724 3004 cmd.exe 38 PID 3004 wrote to memory of 2724 3004 cmd.exe 38 PID 3004 wrote to memory of 2724 3004 cmd.exe 38 PID 2724 wrote to memory of 2440 2724 net.exe 39 PID 2724 wrote to memory of 2440 2724 net.exe 39 PID 2724 wrote to memory of 2440 2724 net.exe 39 PID 3004 wrote to memory of 2820 3004 cmd.exe 40 PID 3004 wrote to memory of 2820 3004 cmd.exe 40 PID 3004 wrote to memory of 2820 3004 cmd.exe 40 PID 3004 wrote to memory of 2864 3004 cmd.exe 41 PID 3004 wrote to memory of 2864 3004 cmd.exe 41 PID 3004 wrote to memory of 2864 3004 cmd.exe 41 PID 3004 wrote to memory of 2804 3004 cmd.exe 42 PID 3004 wrote to memory of 2804 3004 cmd.exe 42 PID 3004 wrote to memory of 2804 3004 cmd.exe 42 PID 3004 wrote to memory of 2824 3004 cmd.exe 43 PID 3004 wrote to memory of 2824 3004 cmd.exe 43 PID 3004 wrote to memory of 2824 3004 cmd.exe 43 PID 2824 wrote to memory of 2848 2824 net.exe 44 PID 2824 wrote to memory of 2848 2824 net.exe 44 PID 2824 wrote to memory of 2848 2824 net.exe 44 PID 3004 wrote to memory of 2240 3004 cmd.exe 45 PID 3004 wrote to memory of 2240 3004 cmd.exe 45 PID 3004 wrote to memory of 2240 3004 cmd.exe 45
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-main\Downloads\Sound.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\taskkill.exetaskkill /F /IM RtkAudUService64.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\system32\net.exenet stop "RtkAudioUniversalService"2⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "RtkAudioUniversalService"3⤵PID:2948
-
-
-
C:\Windows\system32\sc.exesc config RtkAudioUniversalService start=disabled2⤵
- Launches sc.exe
PID:2544
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im SECOMNService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im SECOCL.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\system32\net.exenet stop "SECOMNService"2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SECOMNService"3⤵PID:2440
-
-
-
C:\Windows\system32\sc.exesc config SECOMNService start=disabled2⤵
- Launches sc.exe
PID:2820
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im VSHelper.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im VSSrv.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\system32\net.exenet stop "VSSrv"2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSSrv"3⤵PID:2848
-
-
-
C:\Windows\system32\sc.exesc config VSSrv start=disabled2⤵
- Launches sc.exe
PID:2240
-