Analysis
-
max time kernel
4265058s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
16-01-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
57620fe23fe46b9b50f5ec40bdc6b8fa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
57620fe23fe46b9b50f5ec40bdc6b8fa.exe
Resource
win10v2004-en-20220112
General
-
Target
57620fe23fe46b9b50f5ec40bdc6b8fa.exe
-
Size
419KB
-
MD5
57620fe23fe46b9b50f5ec40bdc6b8fa
-
SHA1
fe38a4e6d66ad1cc621ea39e3d344d1fcd6227d2
-
SHA256
d1a299c8b89530ee091ceeb89c172bdd9317816825b68926b0e368714e74d27f
-
SHA512
671cd11456cc62533acfd62693db39488aa8964db4f4b4729ec1305b8b5550798bd1eae4107957eb5bc1b29d6023c8f28b0f33ccaf21a2b7169e5bf49125f1a3
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Suspicious use of NtCreateProcessExOtherParentProcess 7 IoCs
description pid Process procid_target PID 2932 created 3104 2932 WerFault.exe 52 PID 632 created 3104 632 WerFault.exe 52 PID 1720 created 3104 1720 WerFault.exe 52 PID 3624 created 3104 3624 WerFault.exe 52 PID 1776 created 3104 1776 WerFault.exe 52 PID 3860 created 3104 3860 WerFault.exe 52 PID 2416 created 3104 2416 WerFault.exe 52 -
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral2/memory/3104-131-0x0000000000820000-0x000000000086C000-memory.dmp family_onlylogger behavioral2/memory/3104-132-0x0000000000400000-0x0000000000579000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 57620fe23fe46b9b50f5ec40bdc6b8fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 1604 3104 WerFault.exe 52 1068 3104 WerFault.exe 52 2696 3104 WerFault.exe 52 2940 3104 WerFault.exe 52 2292 3104 WerFault.exe 52 3752 3104 WerFault.exe 52 2884 3104 WerFault.exe 52 -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 14 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 1 IoCs
pid Process 3880 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1604 WerFault.exe 1604 WerFault.exe 1068 WerFault.exe 1068 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2940 WerFault.exe 2940 WerFault.exe 2292 WerFault.exe 2292 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 1604 WerFault.exe Token: SeBackupPrivilege 1604 WerFault.exe Token: SeShutdownPrivilege 1800 MusNotification.exe Token: SeCreatePagefilePrivilege 1800 MusNotification.exe Token: SeDebugPrivilege 3880 taskkill.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2932 wrote to memory of 3104 2932 WerFault.exe 52 PID 2932 wrote to memory of 3104 2932 WerFault.exe 52 PID 632 wrote to memory of 3104 632 WerFault.exe 52 PID 632 wrote to memory of 3104 632 WerFault.exe 52 PID 1720 wrote to memory of 3104 1720 WerFault.exe 52 PID 1720 wrote to memory of 3104 1720 WerFault.exe 52 PID 3624 wrote to memory of 3104 3624 WerFault.exe 52 PID 3624 wrote to memory of 3104 3624 WerFault.exe 52 PID 1776 wrote to memory of 3104 1776 WerFault.exe 52 PID 1776 wrote to memory of 3104 1776 WerFault.exe 52 PID 3860 wrote to memory of 3104 3860 WerFault.exe 52 PID 3860 wrote to memory of 3104 3860 WerFault.exe 52 PID 3104 wrote to memory of 3564 3104 57620fe23fe46b9b50f5ec40bdc6b8fa.exe 69 PID 3104 wrote to memory of 3564 3104 57620fe23fe46b9b50f5ec40bdc6b8fa.exe 69 PID 3104 wrote to memory of 3564 3104 57620fe23fe46b9b50f5ec40bdc6b8fa.exe 69 PID 2416 wrote to memory of 3104 2416 WerFault.exe 52 PID 2416 wrote to memory of 3104 2416 WerFault.exe 52 PID 3564 wrote to memory of 3880 3564 cmd.exe 73 PID 3564 wrote to memory of 3880 3564 cmd.exe 73 PID 3564 wrote to memory of 3880 3564 cmd.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\57620fe23fe46b9b50f5ec40bdc6b8fa.exe"C:\Users\Admin\AppData\Local\Temp\57620fe23fe46b9b50f5ec40bdc6b8fa.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 7362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 7842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 7922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 7122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 7122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 8962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "57620fe23fe46b9b50f5ec40bdc6b8fa.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\57620fe23fe46b9b50f5ec40bdc6b8fa.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "57620fe23fe46b9b50f5ec40bdc6b8fa.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 11162⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3624
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2416