67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c

General

Target

Oneclick-V7.0.bat
Size

201KB
MD5

c8e2a0c12285b709fc839a4c7cbd6e1a
SHA1

cae0726adbd932745e4e4db37c82c5839f632efa
SHA256

67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c
SHA512

a99ca57c12ab00bd160747812ef71518cff0db5b8962b6b21694f0e9d7682830642290c8cbef7a83368ea7b302730e3d0930761edae15fca51247ee8f14bdc18
SSDEEP

1536:8PSPKdigMQgPTjIV4QJ8STaggyjH/nvfHH4pXfCWOBEzCLiD15ToSmcj/DB:MfjvvfeTTmcTDB

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1556	powershell.exe
2068	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2068	powershell.exe
2068	powershell.exe
1556	powershell.exe
1556	powershell.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	392	taskmgr.exe
Token: SeSystemProfilePrivilege	392	taskmgr.exe
Token: SeCreateGlobalPrivilege	392	taskmgr.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe
392	taskmgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5720 wrote to memory of 2172	5720	cmd.exe	87
PID 5720 wrote to memory of 2172	5720	cmd.exe	87
PID 5720 wrote to memory of 5104	5720	cmd.exe	88
PID 5720 wrote to memory of 5104	5720	cmd.exe	88
PID 5104 wrote to memory of 5776	5104	cmd.exe	89
PID 5104 wrote to memory of 5776	5104	cmd.exe	89
PID 5104 wrote to memory of 5228	5104	cmd.exe	90
PID 5104 wrote to memory of 5228	5104	cmd.exe	90
PID 5720 wrote to memory of 2068	5720	cmd.exe	91
PID 5720 wrote to memory of 2068	5720	cmd.exe	91
PID 5720 wrote to memory of 1556	5720	cmd.exe	92
PID 5720 wrote to memory of 1556	5720	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5720
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
    3⤵
    PID:5776
- - C:\Windows\system32\findstr.exe
    findstr "REG_SZ"
    3⤵
    PID:5228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc08a6fd9b8f301503d215002384a51c

SHA1
1c4972f232072620d3925791332eeb33a218e88a

SHA256
72a08cb71dae13c9eb6f8789a116470f8920a78d83c447c79d6491e90b686e24

SHA512
8e2ae7a2e7936294bb0d4b8e845b4313979b486cac54b4ce1980eb4a2020c4ec0df7282831afd3d6914034c675d21435cbb2aa7a9ff97a0ec9ea1810249cca96

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjqa1dx4.fbg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/392-39-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-40-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-41-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-38-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-42-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-43-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-34-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-44-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-32-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/392-33-0x0000027042790000-0x0000027042791000-memory.dmp

Filesize
4KB

Download
memory/1556-29-0x00007FFFAFD70000-0x00007FFFB0831000-memory.dmp

Filesize
10.8MB

Download
memory/1556-31-0x00007FFFAFD70000-0x00007FFFB0831000-memory.dmp

Filesize
10.8MB

Download
memory/1556-27-0x00007FFFAFD70000-0x00007FFFB0831000-memory.dmp

Filesize
10.8MB

Download
memory/1556-22-0x00007FFFAFD70000-0x00007FFFB0831000-memory.dmp

Filesize
10.8MB

Download
memory/2068-0-0x00007FFFAFD73000-0x00007FFFAFD75000-memory.dmp

Filesize
8KB

Download
memory/2068-15-0x00007FFFAFD70000-0x00007FFFB0831000-memory.dmp

Filesize
10.8MB

Download
memory/2068-12-0x00007FFFAFD70000-0x00007FFFB0831000-memory.dmp

Filesize
10.8MB

Download
memory/2068-11-0x00007FFFAFD70000-0x00007FFFB0831000-memory.dmp

Filesize
10.8MB

Download
memory/2068-1-0x00000233434A0000-0x00000233434C2000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads