Analysis
-
max time kernel
141s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe
Resource
win10v2004-20220414-en
General
-
Target
ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe
-
Size
223KB
-
MD5
7b32bb2dbdd7e8a295e19931a5702bec
-
SHA1
4ca5b8fdd61a428e1fc5bda029059ff1b08496fb
-
SHA256
ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc
-
SHA512
316c9d8b4351ea64e58404e25f62b5830e19bac9b51e0ec79188b8e95656cac40baf89ba6cc5619804178ae72dfd2888acdfb980c1b61f76f8f5a8406a289bc3
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral2/memory/1848-132-0x0000000000790000-0x00000000007D6000-memory.dmp family_onlylogger behavioral2/memory/1848-133-0x0000000000400000-0x00000000004F2000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4000 1848 WerFault.exe 78 -
Kills process with taskkill 1 IoCs
pid Process 2260 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2260 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2316 1848 ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe 79 PID 1848 wrote to memory of 2316 1848 ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe 79 PID 1848 wrote to memory of 2316 1848 ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe 79 PID 2316 wrote to memory of 2260 2316 cmd.exe 82 PID 2316 wrote to memory of 2260 2316 cmd.exe 82 PID 2316 wrote to memory of 2260 2316 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe"C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ed146e8700b27adc2c671bd750314efb3df1dc5e7b6411096c525068f97819dc.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 12642⤵
- Program crash
PID:4000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1848 -ip 18481⤵PID:3184