Analysis
-
max time kernel
136s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe
Resource
win10v2004-20220414-en
General
-
Target
54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe
-
Size
292KB
-
MD5
7d4a0e70554fc22ab0c7d004fc975fb7
-
SHA1
1aafaf24b7fdf3b9eb4c775c3ddae543f2969fc1
-
SHA256
54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6
-
SHA512
2333fed33be25a870ce04090260ad880fcde3778820ae77045fbe805adf4c9aef820af5820e05e696352e14005ec5af689f82a1c5a7e6de156a9f15ab5be2ece
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral2/memory/1604-132-0x0000000002240000-0x0000000002286000-memory.dmp family_onlylogger behavioral2/memory/1604-133-0x0000000000400000-0x0000000000503000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
pid pid_target Process procid_target 3572 1604 WerFault.exe 80 828 1604 WerFault.exe 80 1940 1604 WerFault.exe 80 2916 1604 WerFault.exe 80 4512 1604 WerFault.exe 80 4916 1604 WerFault.exe 80 2140 1604 WerFault.exe 80 4756 1604 WerFault.exe 80 -
Kills process with taskkill 1 IoCs
pid Process 1104 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1104 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1604 wrote to memory of 4988 1604 54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe 98 PID 1604 wrote to memory of 4988 1604 54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe 98 PID 1604 wrote to memory of 4988 1604 54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe 98 PID 4988 wrote to memory of 1104 4988 cmd.exe 102 PID 4988 wrote to memory of 1104 4988 cmd.exe 102 PID 4988 wrote to memory of 1104 4988 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe"C:\Users\Admin\AppData\Local\Temp\54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 6122⤵
- Program crash
PID:3572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 6322⤵
- Program crash
PID:828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 6402⤵
- Program crash
PID:1940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 6402⤵
- Program crash
PID:2916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 6402⤵
- Program crash
PID:4512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 12002⤵
- Program crash
PID:4916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 12362⤵
- Program crash
PID:2140
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "54b2f3e0e38d8a80023968c1fd48cab4907bb786ec91508df9872ef09813a3f6.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 12842⤵
- Program crash
PID:4756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1604 -ip 16041⤵PID:3312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1604 -ip 16041⤵PID:1380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1604 -ip 16041⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1604 -ip 16041⤵PID:1456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1604 -ip 16041⤵PID:4496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1604 -ip 16041⤵PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1604 -ip 16041⤵PID:4896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1604 -ip 16041⤵PID:3156