Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe
Resource
win10v2004-20220414-en
General
-
Target
ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe
-
Size
223KB
-
MD5
7b32bb2dbdd7e8a295e19931a5702bec
-
SHA1
4ca5b8fdd61a428e1fc5bda029059ff1b08496fb
-
SHA256
ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc
-
SHA512
316c9d8b4351ea64e58404e25f62b5830e19bac9b51e0ec79188b8e95656cac40baf89ba6cc5619804178ae72dfd2888acdfb980c1b61f76f8f5a8406a289bc3
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/1192-57-0x0000000000220000-0x0000000000266000-memory.dmp family_onlylogger behavioral1/memory/1192-58-0x0000000000400000-0x00000000004F2000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 1652 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1764 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1764 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1192 wrote to memory of 1652 1192 ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe 28 PID 1192 wrote to memory of 1652 1192 ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe 28 PID 1192 wrote to memory of 1652 1192 ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe 28 PID 1192 wrote to memory of 1652 1192 ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe 28 PID 1652 wrote to memory of 1764 1652 cmd.exe 30 PID 1652 wrote to memory of 1764 1652 cmd.exe 30 PID 1652 wrote to memory of 1764 1652 cmd.exe 30 PID 1652 wrote to memory of 1764 1652 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe"C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-