Analysis
-
max time kernel
72s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 08:49
Static task
static1
Behavioral task
behavioral1
Sample
f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe
Resource
win10v2004-20220414-en
General
-
Target
f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe
-
Size
350KB
-
MD5
1a349cd091b56f028fd227b08430caa4
-
SHA1
80086e37b32214c0d7449174bf9f9aa9b671acf4
-
SHA256
f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f
-
SHA512
8618a45645c52e5a628a262e880d04ab59f84e34462c6a9eff25dac89572d8e4fdd0642070398693f1f90ad640a1a19560e3821f03a0ccfb324410703cf187b8
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral2/memory/1320-132-0x0000000002970000-0x00000000029B6000-memory.dmp family_onlylogger behavioral2/memory/1320-133-0x0000000000400000-0x0000000000C31000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
pid pid_target Process procid_target 3392 1320 WerFault.exe 79 4812 1320 WerFault.exe 79 1656 1320 WerFault.exe 79 4512 1320 WerFault.exe 79 4928 1320 WerFault.exe 79 2396 1320 WerFault.exe 79 5036 1320 WerFault.exe 79 1760 1320 WerFault.exe 79 4284 1320 WerFault.exe 79 3836 1320 WerFault.exe 79 -
Kills process with taskkill 1 IoCs
pid Process 1324 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1324 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1352 1320 f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe 96 PID 1320 wrote to memory of 1352 1320 f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe 96 PID 1320 wrote to memory of 1352 1320 f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe 96 PID 1352 wrote to memory of 1324 1352 cmd.exe 100 PID 1352 wrote to memory of 1324 1352 cmd.exe 100 PID 1352 wrote to memory of 1324 1352 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe"C:\Users\Admin\AppData\Local\Temp\f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 6242⤵
- Program crash
PID:3392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 6602⤵
- Program crash
PID:4812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 7162⤵
- Program crash
PID:1656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 7242⤵
- Program crash
PID:4512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 8402⤵
- Program crash
PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 10682⤵
- Program crash
PID:2396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 12442⤵
- Program crash
PID:5036
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "f17be56f3ffcbff5456246f92dbfcbc6251aaae4890580260a877f4ef98ae85f.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 10802⤵
- Program crash
PID:1760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 10962⤵
- Program crash
PID:4284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 13882⤵
- Program crash
PID:3836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1320 -ip 13201⤵PID:2004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1320 -ip 13201⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1320 -ip 13201⤵PID:3440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1320 -ip 13201⤵PID:516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1320 -ip 13201⤵PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1320 -ip 13201⤵PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1320 -ip 13201⤵PID:3200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1320 -ip 13201⤵PID:2140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1320 -ip 13201⤵PID:888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1320 -ip 13201⤵PID:4632