analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | OneLaunch - Manuals_w3kg.exe |
| Full analysis: | https://app.any.run/tasks/5fc12dc1-bec6-4ff4-8098-cd3b2cdd7c22 |
| Verdict: | Malicious activity |
| Analysis date: | December 05, 2022, 21:23:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | FBA2AAAE6DE6FB573D9DFFB9AB0BFFA3 |
| SHA1: | 10FD64392CEE638A40705FA2B5B6A496A143A8F5 |
| SHA256: | 7A2E5B56A2470BFD52202AEB7B79C981EB76253E46F4B3D56882604E6FF551D1 |
| SSDEEP: | 49152:lqe3f6RzcjoiBNKDIoRxbdLjqVX5rIJwI2J5PiH7nBGty:0SiRzRirWI+xJjgJLTiH7BUy |
MALICIOUS
Drops the executable file immediately after the start
- OneLaunch - Manuals_w3kg.exe (PID: 1756)
SUSPICIOUS
Reads the Internet Settings
- OneLaunch - Manuals_w3kg.tmp (PID: 3084)
- OneLaunch - Manuals_w3kg.tmp (PID: 3612)
- OneLaunch - Manuals_w3kg.tmp (PID: 556)
Executable content was dropped or overwritten
- OneLaunch - Manuals_w3kg.exe (PID: 1756)
Reads the Windows owner or organization settings
- OneLaunch - Manuals_w3kg.tmp (PID: 3084)
- OneLaunch - Manuals_w3kg.tmp (PID: 3612)
- OneLaunch - Manuals_w3kg.tmp (PID: 556)
INFO
Reads the computer name
- OneLaunch - Manuals_w3kg.tmp (PID: 3084)
- OneLaunch - Manuals_w3kg.tmp (PID: 556)
- OneLaunch - Manuals_w3kg.tmp (PID: 3612)
Checks supported languages
- OneLaunch - Manuals_w3kg.tmp (PID: 3084)
- OneLaunch - Manuals_w3kg.exe (PID: 3448)
- OneLaunch - Manuals_w3kg.exe (PID: 1756)
- OneLaunch - Manuals_w3kg.exe (PID: 1172)
- OneLaunch - Manuals_w3kg.tmp (PID: 556)
- OneLaunch - Manuals_w3kg.tmp (PID: 3612)
Application was dropped or rewritten from another process
- OneLaunch - Manuals_w3kg.tmp (PID: 3084)
- OneLaunch - Manuals_w3kg.tmp (PID: 3612)
- OneLaunch - Manuals_w3kg.tmp (PID: 556)
Loads dropped or rewritten executable
- OneLaunch - Manuals_w3kg.tmp (PID: 3084)
- OneLaunch - Manuals_w3kg.tmp (PID: 3612)
- OneLaunch - Manuals_w3kg.tmp (PID: 556)
Manual execution by a user
- OneLaunch - Manuals_w3kg.exe (PID: 3448)
- cmd.exe (PID: 268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 2020-Nov-15 09:48:30 |
| Detected languages: |
|
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | OneLaunch |
| FileDescription: | 'OneLaunch Installer' Setup |
| FileVersion: | 5.8.4 |
| LegalCopyright: | Copyright OneLaunch. All rights reserved. |
| OriginalFileName: | - |
| ProductName: | 'OneLaunch Installer' |
| ProductVersion: | 5.8.4 |
DOS Header
| e_magic: | MZ |
|---|---|
| e_cblp: | 80 |
| e_cp: | 2 |
| e_crlc: | - |
| e_cparhdr: | 4 |
| e_minalloc: | 15 |
| e_maxalloc: | 65535 |
| e_ss: | - |
| e_sp: | 184 |
| e_csum: | - |
| e_ip: | - |
| e_cs: | - |
| e_ovno: | 26 |
| e_oemid: | - |
| e_oeminfo: | - |
| e_lfanew: | 256 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 10 |
| TimeDateStamp: | 2020-Nov-15 09:48:30 |
| PointerToSymbolTable: | - |
| NumberOfSymbols: | - |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 4096 | 734748 | 735232 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.35606 |
.itext | 741376 | 5768 | 6144 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.97275 |
.data | 749568 | 14244 | 14336 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.0444 |
.bss | 765952 | 28136 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.idata | 794624 | 3894 | 4096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.8987 |
.didata | 798720 | 420 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.75636 |
.edata | 802816 | 154 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.87222 |
.tls | 806912 | 24 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rdata | 811008 | 93 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.38389 |
.rsrc | 815104 | 131476 | 131584 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.05997 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 7.96528 | 18420 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 5.42918 | 67624 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 5.59133 | 16936 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 5.70399 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.79345 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 5.89179 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
4086 | 3.16547 | 864 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4087 | 3.40938 | 608 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4088 | 3.31153 | 1116 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4089 | 3.33977 | 1036 | Latin 1 / Western European | UNKNOWN | RT_STRING |
Imports
advapi32.dll |
comctl32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
netapi32.dll |
oleaut32.dll |
user32.dll |
version.dll |
Exports
Title | Ordinal | Address |
|---|---|---|
dbkFCallWrapperAddr | 1 | 779836 |
__dbk_fcall_wrapper | 2 | 53408 |
TMethodImplementationIntercept | 3 | 344160 |
Total processes
41
Monitored processes
7
Malicious processes
0
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1756 | "C:\Users\admin\Desktop\OneLaunch - Manuals_w3kg.exe" | C:\Users\admin\Desktop\OneLaunch - Manuals_w3kg.exe | Explorer.EXE | ||||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: 'OneLaunch Installer' Setup Exit code: 1 Version: 5.8.4 Modules
| |||||||||||||||
| 3084 | "C:\Users\admin\AppData\Local\Temp\is-CC221.tmp\OneLaunch - Manuals_w3kg.tmp" /SL5="$50198,1878085,893952,C:\Users\admin\Desktop\OneLaunch - Manuals_w3kg.exe" | C:\Users\admin\AppData\Local\Temp\is-CC221.tmp\OneLaunch - Manuals_w3kg.tmp | OneLaunch - Manuals_w3kg.exe | ||||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3448 | "C:\Users\admin\Desktop\OneLaunch - Manuals_w3kg.exe" | C:\Users\admin\Desktop\OneLaunch - Manuals_w3kg.exe | — | Explorer.EXE | |||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: 'OneLaunch Installer' Setup Exit code: 1 Version: 5.8.4 Modules
| |||||||||||||||
| 3612 | "C:\Users\admin\AppData\Local\Temp\is-VG82J.tmp\OneLaunch - Manuals_w3kg.tmp" /SL5="$60150,1878085,893952,C:\Users\admin\Desktop\OneLaunch - Manuals_w3kg.exe" | C:\Users\admin\AppData\Local\Temp\is-VG82J.tmp\OneLaunch - Manuals_w3kg.tmp | OneLaunch - Manuals_w3kg.exe | ||||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 268 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1172 | "OneLaunch - Manuals_w3kg.exe" | C:\Users\admin\Desktop\OneLaunch - Manuals_w3kg.exe | — | cmd.exe | |||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: 'OneLaunch Installer' Setup Exit code: 1 Version: 5.8.4 Modules
| |||||||||||||||
| 556 | "C:\Users\admin\AppData\Local\Temp\is-C13NJ.tmp\OneLaunch - Manuals_w3kg.tmp" /SL5="$701CC,1878085,893952,C:\Users\admin\Desktop\OneLaunch - Manuals_w3kg.exe" | C:\Users\admin\AppData\Local\Temp\is-C13NJ.tmp\OneLaunch - Manuals_w3kg.tmp | OneLaunch - Manuals_w3kg.exe | ||||||||||||
User: admin Company: OneLaunch Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
836
Read events
815
Write events
9
Delete events
12
Modification events
| (PID) Process: | (3084) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: 0C0C0000A8F016D2EF08D901 | |||
| (PID) Process: | (3084) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 25A1217529B2CF99F0480907EBE9E21A4738881F0512FA626C10F80AD4C4A646 | |||
| (PID) Process: | (3084) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3084) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3084) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: 25A1217529B2CF99F0480907EBE9E21A4738881F0512FA626C10F80AD4C4A646 | |||
| (PID) Process: | (3084) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: 0C0C0000A8F016D2EF08D901 | |||
| (PID) Process: | (3084) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3612) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: 1C0E000074D0D1D9EF08D901 | |||
| (PID) Process: | (3612) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 7EC6F0FD730EF2B89F97A1BCCF3A15DC9D3A95D3B1275D03563DD5FC1D434978 | |||
| (PID) Process: | (3612) OneLaunch - Manuals_w3kg.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
Executable files
6
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1172 | OneLaunch - Manuals_w3kg.exe | C:\Users\admin\AppData\Local\Temp\is-C13NJ.tmp\OneLaunch - Manuals_w3kg.tmp | executable | |
MD5:1150AE25E5011B45E72A7529CDA3A7D4 | SHA256:FC1B56336B99359CC13A37B371794796726938606D39FBD9B59606BB0E212E86 | |||
| 1756 | OneLaunch - Manuals_w3kg.exe | C:\Users\admin\AppData\Local\Temp\is-CC221.tmp\OneLaunch - Manuals_w3kg.tmp | executable | |
MD5:1150AE25E5011B45E72A7529CDA3A7D4 | SHA256:FC1B56336B99359CC13A37B371794796726938606D39FBD9B59606BB0E212E86 | |||
| 3448 | OneLaunch - Manuals_w3kg.exe | C:\Users\admin\AppData\Local\Temp\is-VG82J.tmp\OneLaunch - Manuals_w3kg.tmp | executable | |
MD5:1150AE25E5011B45E72A7529CDA3A7D4 | SHA256:FC1B56336B99359CC13A37B371794796726938606D39FBD9B59606BB0E212E86 | |||
| 3612 | OneLaunch - Manuals_w3kg.tmp | C:\Users\admin\AppData\Local\Temp\is-3FHHU.tmp\Win32Library.dll | executable | |
MD5:E99A5B105547EDBC770650716AEB47E1 | SHA256:004B4A2DF5C9874C21BBBA5A89FAED4FDD03818D6AD2B48198397BFAB7CB2F73 | |||
| 556 | OneLaunch - Manuals_w3kg.tmp | C:\Users\admin\AppData\Local\Temp\is-5SGFC.tmp\Win32Library.dll | executable | |
MD5:E99A5B105547EDBC770650716AEB47E1 | SHA256:004B4A2DF5C9874C21BBBA5A89FAED4FDD03818D6AD2B48198397BFAB7CB2F73 | |||
| 3084 | OneLaunch - Manuals_w3kg.tmp | C:\Users\admin\AppData\Local\Temp\is-30KP1.tmp\Win32Library.dll | executable | |
MD5:E99A5B105547EDBC770650716AEB47E1 | SHA256:004B4A2DF5C9874C21BBBA5A89FAED4FDD03818D6AD2B48198397BFAB7CB2F73 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3084 | OneLaunch - Manuals_w3kg.tmp | 143.204.215.68:443 | attribution.onelaunch.com | AMAZON-02 | US | malicious |
3612 | OneLaunch - Manuals_w3kg.tmp | 143.204.215.113:443 | attribution.onelaunch.com | AMAZON-02 | US | suspicious |
3612 | OneLaunch - Manuals_w3kg.tmp | 143.204.215.68:443 | attribution.onelaunch.com | AMAZON-02 | US | malicious |
556 | OneLaunch - Manuals_w3kg.tmp | 143.204.215.68:443 | attribution.onelaunch.com | AMAZON-02 | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
attribution.onelaunch.com |
| whitelisted |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3084 | OneLaunch - Manuals_w3kg.tmp | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3612 | OneLaunch - Manuals_w3kg.tmp | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3612 | OneLaunch - Manuals_w3kg.tmp | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
556 | OneLaunch - Manuals_w3kg.tmp | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
556 | OneLaunch - Manuals_w3kg.tmp | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |