fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82

General

Target

SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe
Size

3.2MB
MD5

13ca60d73776b420ada5cc15848f8dfb
SHA1

22bece82795e9c60d76c19f22f777f3b19af10d8
SHA256

fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82
SHA512

7074d3fb777563a94dde036cab647cfc72c115e140343ec25f6921a5689b4d381b60012dfa0fb2b1ea17621ff90ca4c225cd3f2e71c1a6bab935c33610f4dafc
SSDEEP

98304:VSiRz+JwCh4p8zdpHzEugKdTHvjgJLTiH7BUB:3zI48v1r1EsY

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
36	api.keen.io
15	api.keen.io
16	api.keen.io

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp

Executes dropped EXE 4 IoCs

pid	Process
528	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
4080	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
4884	OneLaunch Setup_.exe
2984	OneLaunch Setup_.tmp

Loads dropped DLL 7 IoCs

pid	Process
528	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
528	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
528	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
4080	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
2984	OneLaunch Setup_.tmp
2984	OneLaunch Setup_.tmp
2984	OneLaunch Setup_.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
528	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 528	1720	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe	83
PID 1720 wrote to memory of 528	1720	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe	83
PID 1720 wrote to memory of 528	1720	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe	83
PID 528 wrote to memory of 564	528	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp	93
PID 528 wrote to memory of 564	528	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp	93
PID 528 wrote to memory of 564	528	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp	93
PID 564 wrote to memory of 4080	564	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe	94
PID 564 wrote to memory of 4080	564	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe	94
PID 564 wrote to memory of 4080	564	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe	94
PID 4080 wrote to memory of 4884	4080	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp	95
PID 4080 wrote to memory of 4884	4080	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp	95
PID 4080 wrote to memory of 4884	4080	SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp	95
PID 4884 wrote to memory of 2984	4884	OneLaunch Setup_.exe	96
PID 4884 wrote to memory of 2984	4884	OneLaunch Setup_.exe	96
PID 4884 wrote to memory of 2984	4884	OneLaunch Setup_.exe	96

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\is-8BAKL.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8BAKL.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp" /SL5="$40212,2484196,893952,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTcwMzI2NzEsImRpc3RpbmN0X2lkIjoiOEZDODFEOUMtRkU0Mi00OThELUJENTAtM0QwQjkyMDM3QkNBIiwiZGVmYXVsdF9icm93c2VyIjoiTVNFZGdlSFRNIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuNC4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImIiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0= /LAUNCHER /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\is-TCO40.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TCO40.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp" /SL5="$601E6,2484196,893952,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTcwMzI2NzEsImRpc3RpbmN0X2lkIjoiOEZDODFEOUMtRkU0Mi00OThELUJENTAtM0QwQjkyMDM3QkNBIiwiZGVmYXVsdF9icm93c2VyIjoiTVNFZGdlSFRNIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuNC4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImIiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0= /LAUNCHER /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTcwMzI2NzEsImRpc3RpbmN0X2lkIjoiOEZDODFEOUMtRkU0Mi00OThELUJENTAtM0QwQjkyMDM3QkNBIiwiZGVmYXVsdF9icm93c2VyIjoiTVNFZGdlSFRNIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuNC4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImIiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0=
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Users\Admin\AppData\Local\Temp\is-EI2LF.tmp\OneLaunch Setup_.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EI2LF.tmp\OneLaunch Setup_.tmp" /SL5="$10228,105339801,893952,C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_.exe" /PDATA=eyJpbnN0YWxsX3RpbWUiOjE3MTcwMzI2NzEsImRpc3RpbmN0X2lkIjoiOEZDODFEOUMtRkU0Mi00OThELUJENTAtM0QwQjkyMDM3QkNBIiwiZGVmYXVsdF9icm93c2VyIjoiTVNFZGdlSFRNIiwiaW5pdGluYWxfdmVyc2lvbiI6IjUuMzEuNC4wIiwicGFja2FnZWRfYnJvd3NlciI6Ik5vbmUiLCJzcGxpdCI6ImIiLCJub19zcGxpdCI6ZmFsc2UsInNwbGl0MiI6ImIiLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoiY29udHJvbCIsImVuY29kZWRfc3BsaXRzIjoiMDAwIn0=
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-8BAKL.tmp\SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.11805.11027.tmp

Filesize
3.0MB

MD5
5c6dc4f810bf08224a748763e915d294

SHA1
57e9256e9aeaafd45e4bdc8461f5fcb73f65302e

SHA256
44f80edcbb47c543b362916340af40e5e0f5fa38c1c17713af1ab463d1389e9d

SHA512
8a834ad640ea17ff74d4956d968fe4f5dc657f8fe152eaab778363b2d301733eca2ae01227e20ed9ed88b9eaabe2914a1e388ecea214effdce6725dd28164a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9II47.tmp\checkmark-10-light.png

Filesize
363B

MD5
a4d4dc66a41d9c3b54a2ed3ee8d4b3df

SHA1
e91a5e7a6690c14c6f799e2433beb2f6388c4df6

SHA256
46e9c171e2115cd43e5d05f6a5f6015b27bda065fbab939916fee2fd5c06d5a4

SHA512
99d5425aa653b93d0b6065020f88c095c39d982fb20a0ed0078418e8e862a104b4f0392791c79d2df86410a0ba5ba60e644852943a9fc602f7eaf82fecaaefd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9II47.tmp\min-10-light.png

Filesize
5KB

MD5
2257b1d0d33a41f509e7c3e117819f8b

SHA1
87583bfbc655aec4e8cc4465b341c3f7889a6317

SHA256
d43e4b285b5b54313b53e87d2a56ca9ba0c85f8f55c9c5fdcdb4fac815ff4d02

SHA512
702d1a126a0a7a64af5cee9450daeed74364aa9e9f123e1bc398ecd4215c082e7f55e43dd292a4119749e84999b015109bff8b11732df11143d202b385411cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9II47.tmp\min-rest.bmp

Filesize
24KB

MD5
2484489c7443ec4745488a77ed084d80

SHA1
fcf49d1be8bbbae3d0dea49bb5e677fb19d98d9d

SHA256
70b6921812f29b698f454927802db818c1625402baefd53ced1bfb9135c17d5a

SHA512
a4776969b6bf215a85e7cfbc8f13dbb1beb4ef42eb5abfa572bb7f54c0032941c8bb178e7b77eda0c442741c29fccb02d8de157068dd31203bfed4e49ce051a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9II47.tmp\onelaunch.bmp

Filesize
725KB

MD5
00de2dff1787f6d7904189476b307bfb

SHA1
098a2c23f651d08730927adc8c63518744b199f9

SHA256
cc24488a078d3e92dd7dfb96c22cebd4004ee7fcb297a438e2d3848b633a9f71

SHA512
33a06affebca41e4580279d3ab0f5a2e798584f1ac7f15a19b2364825caba06d8cf57d4ea1ae15bb41d7b14b6ed48f0d3f472c4a4231b7ff792bfca97e93250f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EI2LF.tmp\OneLaunch Setup_.tmp

Filesize
3.0MB

MD5
ac664be735b76d24824d7cfd4ec8096d

SHA1
f3d4942c15491c5b9d8e582958f19da2258fd9db

SHA256
2e39a9112aeb59cee246f88db4f8e7d12aaee96ff23a82ec87f540657ae59127

SHA512
8c3c501fd744c08afab43b4fea02095808f22fa379007dc03c5b5409b15b7cebf8a679573b2e6c666809e24f6cd7f86f0cd4cfc42f3187e2076a724a424ccf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P9GCC.tmp\Win32Library.dll

Filesize
46KB

MD5
564f2dfb6bef1f47798dfb5d182232f0

SHA1
290a5ad705a85e7fb26efcdc5374cd39738ad242

SHA256
671fb4649ddd8428c7f6fd1e14b30fd4735efbbb8c142e2662e157d87f96c9c0

SHA512
492091b1ecb0e36f3d01a7b6d516d836224966dc6e8ec9bcdc2254d252f9530c9b9b45ac10d5216761d557cda2454e3d53060b42e55f6a95631baca29199926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P9GCC.tmp\onelaunch.png

Filesize
70KB

MD5
d3110fb775ee7fd24426503d67840c25

SHA1
54f649c8bf3af2ad3a4d92cd8b1397bad1a49a75

SHA256
f8392390dc81756e79ec5f359dbdcac3b4bd219b5188a429b814fc51aabb6e36

SHA512
f6b79f728be17c9060edb2df2dac2b0f59a4dffd8c416e7e957bc3fa4696f4237e5969647309f5425a6297f189e351e20c99c642f90d1476050285929657c32f

Download Submit
memory/528-54-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/528-22-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/528-46-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/528-45-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/528-44-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/528-47-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/528-48-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/528-49-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/528-7-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/528-51-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/528-28-0x0000000006CA0000-0x0000000006D32000-memory.dmp

Filesize
584KB

Download
memory/528-59-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/528-26-0x0000000004970000-0x0000000004984000-memory.dmp

Filesize
80KB

Download
memory/528-93-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/528-27-0x0000000074260000-0x0000000074274000-memory.dmp

Filesize
80KB

Download
memory/564-60-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/564-62-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/564-163-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1720-1-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1720-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1720-50-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1720-162-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2984-105-0x000000006FBF0000-0x000000006FC04000-memory.dmp

Filesize
80KB

Download
memory/2984-104-0x0000000008F70000-0x0000000008F84000-memory.dmp

Filesize
80KB

Download
memory/2984-95-0x0000000003680000-0x00000000037C0000-memory.dmp

Filesize
1.2MB

Download
memory/2984-94-0x0000000003680000-0x00000000037C0000-memory.dmp

Filesize
1.2MB

Download
memory/2984-166-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4080-164-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4884-78-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4884-165-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing