67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c

Resubmissions

27/03/2025, 09:39

250327-lm3m5sslv4 10

27/03/2025, 07:44

250327-jkzscsyxgx 10

27/03/2025, 04:15

250327-evp9fsyrx2 10

Analysis

max time kernel
841s
max time network
842s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V7.0.bat
Size

201KB
MD5

c8e2a0c12285b709fc839a4c7cbd6e1a
SHA1

cae0726adbd932745e4e4db37c82c5839f632efa
SHA256

67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c
SHA512

a99ca57c12ab00bd160747812ef71518cff0db5b8962b6b21694f0e9d7682830642290c8cbef7a83368ea7b302730e3d0930761edae15fca51247ee8f14bdc18
SSDEEP

1536:8PSPKdigMQgPTjIV4QJ8STaggyjH/nvfHH4pXfCWOBEzCLiD15ToSmcj/DB:MfjvvfeTTmcTDB

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe
2668	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2808	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2660	2384	cmd.exe	31
PID 2384 wrote to memory of 2660	2384	cmd.exe	31
PID 2384 wrote to memory of 2660	2384	cmd.exe	31
PID 2384 wrote to memory of 2380	2384	cmd.exe	32
PID 2384 wrote to memory of 2380	2384	cmd.exe	32
PID 2384 wrote to memory of 2380	2384	cmd.exe	32
PID 2380 wrote to memory of 2760	2380	cmd.exe	33
PID 2380 wrote to memory of 2760	2380	cmd.exe	33
PID 2380 wrote to memory of 2760	2380	cmd.exe	33
PID 2380 wrote to memory of 2804	2380	cmd.exe	34
PID 2380 wrote to memory of 2804	2380	cmd.exe	34
PID 2380 wrote to memory of 2804	2380	cmd.exe	34
PID 2384 wrote to memory of 2808	2384	cmd.exe	35
PID 2384 wrote to memory of 2808	2384	cmd.exe	35
PID 2384 wrote to memory of 2808	2384	cmd.exe	35
PID 2384 wrote to memory of 2668	2384	cmd.exe	36
PID 2384 wrote to memory of 2668	2384	cmd.exe	36
PID 2384 wrote to memory of 2668	2384	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
    3⤵
    PID:2760
- - C:\Windows\system32\findstr.exe
    findstr "REG_SZ"
    3⤵
    PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2385b4503e30d8046074787df465bc5d

SHA1
723407ab50739a467be6d8ae9c7227f09eb770d4

SHA256
28e970fd1a9eec76fabe2ff58d06998631fdad0a9a20e96f464be63f68be741b

SHA512
e98244d2fc6f6126e8b97b77d985cdf0dbd45385c2649b51316f3d5fa9cbf628fc1e351a0faf6e83757621660070854dd57accc21564cb3579a484523616130e

Download Submit
memory/2668-15-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-16-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2808-4-0x000007FEF609E000-0x000007FEF609F000-memory.dmp

Filesize
4KB

Download
memory/2808-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2808-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2808-8-0x0000000002BEB000-0x0000000002C52000-memory.dmp

Filesize
412KB

Download
memory/2808-7-0x0000000002BE4000-0x0000000002BE7000-memory.dmp

Filesize
12KB

Download
memory/2808-10-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-17-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Filesize
9.6MB

Download