Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 12:02
Static task
static1
Behavioral task
behavioral1
Sample
1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe
Resource
win10v2004-20220414-en
General
-
Target
1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe
-
Size
510KB
-
MD5
22d86f1d536b0ecebb81a257039b7436
-
SHA1
2d2226fef39f76f11f5ebe818675bd06306a0865
-
SHA256
1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43
-
SHA512
87ffcf381813b3202d141202ebf942a2f0ce4248f3080f8065ca66061d6ce60e97d28b67d4ebd12cd1f66e58ce7e74d22f1d2fe484bc93314a2bf1c3b9bfa4e9
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral2/memory/4704-131-0x00000000040A0000-0x00000000040E6000-memory.dmp family_onlylogger behavioral2/memory/4704-132-0x0000000000400000-0x000000000233B000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
pid pid_target Process procid_target 3740 4704 WerFault.exe 82 4100 4704 WerFault.exe 82 3968 4704 WerFault.exe 82 2276 4704 WerFault.exe 82 4356 4704 WerFault.exe 82 680 4704 WerFault.exe 82 1608 4704 WerFault.exe 82 4240 4704 WerFault.exe 82 -
Kills process with taskkill 1 IoCs
pid Process 4152 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4152 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4704 wrote to memory of 1512 4704 1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe 97 PID 4704 wrote to memory of 1512 4704 1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe 97 PID 4704 wrote to memory of 1512 4704 1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe 97 PID 1512 wrote to memory of 4152 1512 cmd.exe 101 PID 1512 wrote to memory of 4152 1512 cmd.exe 101 PID 1512 wrote to memory of 4152 1512 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe"C:\Users\Admin\AppData\Local\Temp\1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 6122⤵
- Program crash
PID:3740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 6322⤵
- Program crash
PID:4100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 7442⤵
- Program crash
PID:3968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 7802⤵
- Program crash
PID:2276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5242⤵
- Program crash
PID:4356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 10882⤵
- Program crash
PID:680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 12122⤵
- Program crash
PID:1608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 12642⤵
- Program crash
PID:4240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4704 -ip 47041⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4704 -ip 47041⤵PID:2032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4704 -ip 47041⤵PID:3400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4704 -ip 47041⤵PID:4668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4704 -ip 47041⤵PID:4508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4704 -ip 47041⤵PID:4552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4704 -ip 47041⤵PID:4092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4704 -ip 47041⤵PID:2616