Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-01-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
57620fe23fe46b9b50f5ec40bdc6b8fa.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
57620fe23fe46b9b50f5ec40bdc6b8fa.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
57620fe23fe46b9b50f5ec40bdc6b8fa.exe
-
Size
419KB
-
MD5
57620fe23fe46b9b50f5ec40bdc6b8fa
-
SHA1
fe38a4e6d66ad1cc621ea39e3d344d1fcd6227d2
-
SHA256
d1a299c8b89530ee091ceeb89c172bdd9317816825b68926b0e368714e74d27f
-
SHA512
671cd11456cc62533acfd62693db39488aa8964db4f4b4729ec1305b8b5550798bd1eae4107957eb5bc1b29d6023c8f28b0f33ccaf21a2b7169e5bf49125f1a3
Score
10/10
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/760-56-0x00000000001B0000-0x00000000001FC000-memory.dmp family_onlylogger behavioral1/memory/760-57-0x0000000000400000-0x0000000000579000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 1892 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 772 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 772 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 760 wrote to memory of 1892 760 57620fe23fe46b9b50f5ec40bdc6b8fa.exe 27 PID 760 wrote to memory of 1892 760 57620fe23fe46b9b50f5ec40bdc6b8fa.exe 27 PID 760 wrote to memory of 1892 760 57620fe23fe46b9b50f5ec40bdc6b8fa.exe 27 PID 760 wrote to memory of 1892 760 57620fe23fe46b9b50f5ec40bdc6b8fa.exe 27 PID 1892 wrote to memory of 772 1892 cmd.exe 29 PID 1892 wrote to memory of 772 1892 cmd.exe 29 PID 1892 wrote to memory of 772 1892 cmd.exe 29 PID 1892 wrote to memory of 772 1892 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\57620fe23fe46b9b50f5ec40bdc6b8fa.exe"C:\Users\Admin\AppData\Local\Temp\57620fe23fe46b9b50f5ec40bdc6b8fa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "57620fe23fe46b9b50f5ec40bdc6b8fa.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\57620fe23fe46b9b50f5ec40bdc6b8fa.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "57620fe23fe46b9b50f5ec40bdc6b8fa.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-