Analysis

  • max time kernel
    95s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18-04-2022 12:01

General

  • Target

    4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe

  • Size

    324KB

  • MD5

    e69a4717327c0b353aa37aeb7bc141c4

  • SHA1

    8720f0de7a1df2d56f7fc9742905a04655b41888

  • SHA256

    4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0

  • SHA512

    8c3767c40a3c49efa9c46c725ffce000835de2abee053925c063d54025da4f7fb3a7ac168c0a668320b04d41697f887522b45a4d24e3743c98d1594fecf7bb48

Score
10/10

Malware Config

Signatures

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

  • OnlyLogger Payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 8 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe
    "C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 624
      2⤵
      • Program crash
      PID:2736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 648
      2⤵
      • Program crash
      PID:4320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 500
      2⤵
      • Program crash
      PID:2584
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 624
      2⤵
      • Program crash
      PID:1012
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1084
      2⤵
      • Program crash
      PID:5040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1084
      2⤵
      • Program crash
      PID:1272
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1228
      2⤵
      • Program crash
      PID:4452
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1388
      2⤵
      • Program crash
      PID:2256
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 764 -ip 764
    1⤵
      PID:3008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 764 -ip 764
      1⤵
        PID:1468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 764 -ip 764
        1⤵
          PID:4396
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 764 -ip 764
          1⤵
            PID:3356
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 764 -ip 764
            1⤵
              PID:1680
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 764 -ip 764
              1⤵
                PID:4676
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 764 -ip 764
                1⤵
                  PID:3772
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 764 -ip 764
                  1⤵
                    PID:4048

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/764-130-0x0000000000D3A000-0x0000000000D62000-memory.dmp

                    Filesize

                    160KB

                  • memory/764-131-0x00000000011E0000-0x0000000001226000-memory.dmp

                    Filesize

                    280KB

                  • memory/764-132-0x0000000000400000-0x0000000000C2B000-memory.dmp

                    Filesize

                    8.2MB