Analysis

  • max time kernel
    141s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18-04-2022 12:01

General

  • Target

    ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe

  • Size

    223KB

  • MD5

    7b32bb2dbdd7e8a295e19931a5702bec

  • SHA1

    4ca5b8fdd61a428e1fc5bda029059ff1b08496fb

  • SHA256

    ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc

  • SHA512

    316c9d8b4351ea64e58404e25f62b5830e19bac9b51e0ec79188b8e95656cac40baf89ba6cc5619804178ae72dfd2888acdfb980c1b61f76f8f5a8406a289bc3

Score
10/10

Malware Config

Signatures

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

  • OnlyLogger Payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe
    "C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1264
      2⤵
      • Program crash
      PID:4000
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1848 -ip 1848
    1⤵
      PID:3184

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1848-130-0x0000000000838000-0x0000000000860000-memory.dmp

      Filesize

      160KB

    • memory/1848-131-0x0000000000838000-0x0000000000860000-memory.dmp

      Filesize

      160KB

    • memory/1848-132-0x0000000000790000-0x00000000007D6000-memory.dmp

      Filesize

      280KB

    • memory/1848-133-0x0000000000400000-0x00000000004F2000-memory.dmp

      Filesize

      968KB