Analysis
-
max time kernel
36s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe
Resource
win10v2004-20220414-en
General
-
Target
4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe
-
Size
324KB
-
MD5
e69a4717327c0b353aa37aeb7bc141c4
-
SHA1
8720f0de7a1df2d56f7fc9742905a04655b41888
-
SHA256
4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0
-
SHA512
8c3767c40a3c49efa9c46c725ffce000835de2abee053925c063d54025da4f7fb3a7ac168c0a668320b04d41697f887522b45a4d24e3743c98d1594fecf7bb48
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/1532-56-0x00000000002E0000-0x0000000000326000-memory.dmp family_onlylogger behavioral1/memory/1532-57-0x0000000000400000-0x0000000000C2B000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 552 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 948 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 948 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1532 wrote to memory of 552 1532 4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe 27 PID 1532 wrote to memory of 552 1532 4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe 27 PID 1532 wrote to memory of 552 1532 4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe 27 PID 1532 wrote to memory of 552 1532 4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe 27 PID 552 wrote to memory of 948 552 cmd.exe 29 PID 552 wrote to memory of 948 552 cmd.exe 29 PID 552 wrote to memory of 948 552 cmd.exe 29 PID 552 wrote to memory of 948 552 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe"C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-