Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe
Resource
win10v2004-20220414-en
General
-
Target
54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe
-
Size
292KB
-
MD5
7d4a0e70554fc22ab0c7d004fc975fb7
-
SHA1
1aafaf24b7fdf3b9eb4c775c3ddae543f2969fc1
-
SHA256
54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6
-
SHA512
2333fed33be25a870ce04090260ad880fcde3778820ae77045fbe805adf4c9aef820af5820e05e696352e14005ec5af689f82a1c5a7e6de156a9f15ab5be2ece
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/1800-57-0x0000000001C50000-0x0000000001C96000-memory.dmp family_onlylogger behavioral1/memory/1800-58-0x0000000000400000-0x0000000000503000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 1508 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1428 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1428 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1800 wrote to memory of 1508 1800 54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe 27 PID 1800 wrote to memory of 1508 1800 54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe 27 PID 1800 wrote to memory of 1508 1800 54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe 27 PID 1800 wrote to memory of 1508 1800 54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe 27 PID 1508 wrote to memory of 1428 1508 cmd.exe 29 PID 1508 wrote to memory of 1428 1508 cmd.exe 29 PID 1508 wrote to memory of 1428 1508 cmd.exe 29 PID 1508 wrote to memory of 1428 1508 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe"C:\Users\Admin\AppData\Local\Temp\54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-