Resubmissions
27/03/2025, 09:39
250327-lm3m5sslv4 1027/03/2025, 07:44
250327-jkzscsyxgx 1027/03/2025, 04:15
250327-evp9fsyrx2 10Analysis
-
max time kernel
841s -
max time network
842s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/03/2025, 09:39
Static task
static1
Behavioral task
behavioral1
Sample
Oneclick-V7.0.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Oneclick-V7.0.bat
Resource
win10v2004-20250314-en
General
-
Target
Oneclick-V7.0.bat
-
Size
201KB
-
MD5
c8e2a0c12285b709fc839a4c7cbd6e1a
-
SHA1
cae0726adbd932745e4e4db37c82c5839f632efa
-
SHA256
67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c
-
SHA512
a99ca57c12ab00bd160747812ef71518cff0db5b8962b6b21694f0e9d7682830642290c8cbef7a83368ea7b302730e3d0930761edae15fca51247ee8f14bdc18
-
SSDEEP
1536:8PSPKdigMQgPTjIV4QJ8STaggyjH/nvfHH4pXfCWOBEzCLiD15ToSmcj/DB:MfjvvfeTTmcTDB
Malware Config
Signatures
-
pid Process 2808 powershell.exe 2668 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2808 powershell.exe 2668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2660 2384 cmd.exe 31 PID 2384 wrote to memory of 2660 2384 cmd.exe 31 PID 2384 wrote to memory of 2660 2384 cmd.exe 31 PID 2384 wrote to memory of 2380 2384 cmd.exe 32 PID 2384 wrote to memory of 2380 2384 cmd.exe 32 PID 2384 wrote to memory of 2380 2384 cmd.exe 32 PID 2380 wrote to memory of 2760 2380 cmd.exe 33 PID 2380 wrote to memory of 2760 2380 cmd.exe 33 PID 2380 wrote to memory of 2760 2380 cmd.exe 33 PID 2380 wrote to memory of 2804 2380 cmd.exe 34 PID 2380 wrote to memory of 2804 2380 cmd.exe 34 PID 2380 wrote to memory of 2804 2380 cmd.exe 34 PID 2384 wrote to memory of 2808 2384 cmd.exe 35 PID 2384 wrote to memory of 2808 2384 cmd.exe 35 PID 2384 wrote to memory of 2808 2384 cmd.exe 35 PID 2384 wrote to memory of 2668 2384 cmd.exe 36 PID 2384 wrote to memory of 2668 2384 cmd.exe 36 PID 2384 wrote to memory of 2668 2384 cmd.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"2⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"3⤵PID:2760
-
-
C:\Windows\system32\findstr.exefindstr "REG_SZ"3⤵PID:2804
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52385b4503e30d8046074787df465bc5d
SHA1723407ab50739a467be6d8ae9c7227f09eb770d4
SHA25628e970fd1a9eec76fabe2ff58d06998631fdad0a9a20e96f464be63f68be741b
SHA512e98244d2fc6f6126e8b97b77d985cdf0dbd45385c2649b51316f3d5fa9cbf628fc1e351a0faf6e83757621660070854dd57accc21564cb3579a484523616130e