Overview

overview

7

Static

static

3

XONELauncher.exe

windows10-1703-x64

7

XONELauncher.exe

windows7-x64

7

XONELauncher.exe

windows10-2004-x64

7

XONELauncher.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    112s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XONELauncher.exe

  • Size

    510KB

  • MD5

    0ed4e0764b8acdc4b7d11e4a1506575a

  • SHA1

    1f20519e4a7716239da265696c815e2d76dae033

  • SHA256

    4f3d3cefe0e1e946aa00d23f4d23c9c9f4d59b0f2728446d9c29dd12a4e88bd9

  • SHA512

    c5a099c4b2f3335bc441b57c4bd6bb3e16f8e895fcae17f553fffc1a34458982069090babbe45d104d57175ad32796c8e22f50f59143060df7a32f628b334390

  • SSDEEP

    3072:63kdTXHpVjSOupBoxJ0u0+ssa6oL9YORen2909vKK9kvDFwsH5CewvoDt41JMabv:TpVjSO0BsdLop5eX9vKliA5VkoDZao

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 7 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XONELauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\XONELauncher.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\WINRAR.exe
      "C:\Windows\WINRAR.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f im kaspersky.exe
        3⤵
        • Kills process with taskkill
        PID:2488
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f im kaspersky.exe
        3⤵
        • Kills process with taskkill
        PID:3360
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f im kaspersky.exe
        3⤵
        • Kills process with taskkill
        PID:1340
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f im kaspersky.exe
        3⤵
        • Kills process with taskkill
        PID:1536
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f im kaspersky.exe
        3⤵
        • Kills process with taskkill
        PID:2192
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f im kaspersky.exe
        3⤵
        • Kills process with taskkill
        PID:4700
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f im kaspersky.exe
        3⤵
        • Kills process with taskkill
        PID:5004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\XONELauncher.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 5
        3⤵
          PID:3280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\WINRAR.exe
      Filesize

      510KB

      MD5

      0ed4e0764b8acdc4b7d11e4a1506575a

      SHA1

      1f20519e4a7716239da265696c815e2d76dae033

      SHA256

      4f3d3cefe0e1e946aa00d23f4d23c9c9f4d59b0f2728446d9c29dd12a4e88bd9

      SHA512

      c5a099c4b2f3335bc441b57c4bd6bb3e16f8e895fcae17f553fffc1a34458982069090babbe45d104d57175ad32796c8e22f50f59143060df7a32f628b334390

      Download Submit

    • memory/4088-12-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4088-14-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4088-15-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4604-0-0x0000000074652000-0x0000000074653000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4604-1-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4604-2-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4604-13-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download