Analysis
-
max time kernel
55s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 08:49
Static task
static1
Behavioral task
behavioral1
Sample
f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe
Resource
win10v2004-20220414-en
General
-
Target
f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe
-
Size
350KB
-
MD5
1a349cd091b56f028fd227b08430caa4
-
SHA1
80086e37b32214c0d7449174bf9f9aa9b671acf4
-
SHA256
f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f
-
SHA512
8618a45645c52e5a628a262e880d04ab59f84e34462c6a9eff25dac89572d8e4fdd0642070398693f1f90ad640a1a19560e3821f03a0ccfb324410703cf187b8
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/972-57-0x0000000002390000-0x00000000023D6000-memory.dmp family_onlylogger behavioral1/memory/972-58-0x0000000000400000-0x0000000000C31000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 2016 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1960 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1960 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 972 wrote to memory of 2016 972 f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe 28 PID 972 wrote to memory of 2016 972 f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe 28 PID 972 wrote to memory of 2016 972 f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe 28 PID 972 wrote to memory of 2016 972 f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe 28 PID 2016 wrote to memory of 1960 2016 cmd.exe 30 PID 2016 wrote to memory of 1960 2016 cmd.exe 30 PID 2016 wrote to memory of 1960 2016 cmd.exe 30 PID 2016 wrote to memory of 1960 2016 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe"C:\Users\Admin\AppData\Local\Temp\f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-