Analysis
-
max time kernel
95s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe
Resource
win10v2004-20220414-en
General
-
Target
4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe
-
Size
324KB
-
MD5
e69a4717327c0b353aa37aeb7bc141c4
-
SHA1
8720f0de7a1df2d56f7fc9742905a04655b41888
-
SHA256
4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0
-
SHA512
8c3767c40a3c49efa9c46c725ffce000835de2abee053925c063d54025da4f7fb3a7ac168c0a668320b04d41697f887522b45a4d24e3743c98d1594fecf7bb48
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral2/memory/764-131-0x00000000011E0000-0x0000000001226000-memory.dmp family_onlylogger behavioral2/memory/764-132-0x0000000000400000-0x0000000000C2B000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
pid pid_target Process procid_target 2736 764 WerFault.exe 82 4320 764 WerFault.exe 82 2584 764 WerFault.exe 82 1012 764 WerFault.exe 82 5040 764 WerFault.exe 82 1272 764 WerFault.exe 82 4452 764 WerFault.exe 82 2256 764 WerFault.exe 82 -
Kills process with taskkill 1 IoCs
pid Process 1984 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1984 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 764 wrote to memory of 640 764 4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe 97 PID 764 wrote to memory of 640 764 4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe 97 PID 764 wrote to memory of 640 764 4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe 97 PID 640 wrote to memory of 1984 640 cmd.exe 101 PID 640 wrote to memory of 1984 640 cmd.exe 101 PID 640 wrote to memory of 1984 640 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe"C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 6242⤵
- Program crash
PID:2736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 6482⤵
- Program crash
PID:4320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 5002⤵
- Program crash
PID:2584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 6242⤵
- Program crash
PID:1012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 10842⤵
- Program crash
PID:5040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 10842⤵
- Program crash
PID:1272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 12282⤵
- Program crash
PID:4452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "4d54ceb5fc9968c6366e9438aaf6b8ca6da592dd60c28f7a028a4322ae7647a0.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 13882⤵
- Program crash
PID:2256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 764 -ip 7641⤵PID:3008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 764 -ip 7641⤵PID:1468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 764 -ip 7641⤵PID:4396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 764 -ip 7641⤵PID:3356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 764 -ip 7641⤵PID:1680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 764 -ip 7641⤵PID:4676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 764 -ip 7641⤵PID:3772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 764 -ip 7641⤵PID:4048