Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 16:14
Static task
static1
Behavioral task
behavioral1
Sample
ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe
Resource
win10v2004-20220414-en
General
-
Target
ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe
-
Size
350KB
-
MD5
ec20f59c643f79deb7283f412064de0c
-
SHA1
63c6c812dcaabb37af21221543a6a67e828233d1
-
SHA256
ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69
-
SHA512
1c4d907c6159c5eb9e962d3ea49aad7efaaf9657c9c400da547ef1cc244fe4a1ee6eb55112552b8cc3b5cabd35bc6234c469991276a0bc064a632a5721cd4dec
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/324-57-0x00000000002C0000-0x0000000000306000-memory.dmp family_onlylogger behavioral1/memory/324-58-0x0000000000400000-0x0000000000C31000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 1940 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 2000 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2000 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 324 wrote to memory of 1940 324 ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe 28 PID 324 wrote to memory of 1940 324 ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe 28 PID 324 wrote to memory of 1940 324 ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe 28 PID 324 wrote to memory of 1940 324 ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe 28 PID 1940 wrote to memory of 2000 1940 cmd.exe 30 PID 1940 wrote to memory of 2000 1940 cmd.exe 30 PID 1940 wrote to memory of 2000 1940 cmd.exe 30 PID 1940 wrote to memory of 2000 1940 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe"C:\Users\Admin\AppData\Local\Temp\ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ee5b6ae8714a10c59d415b59114d1c6901a9dfc60f0b1111eabd49a6ca0b5d69.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-