Analysis
-
max time kernel
35s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 16:17
Static task
static1
Behavioral task
behavioral1
Sample
a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe
Resource
win10v2004-20220414-en
General
-
Target
a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe
-
Size
350KB
-
MD5
6559ad197f16d83cf36f61f415b4c72b
-
SHA1
9469bbd33c6109d88f5d2aabc26e70dbb3c77735
-
SHA256
a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033
-
SHA512
5e57fd30a452ce7025458f6bbfe43245a7e3c77eaa980ad48097c56c296cb65d77224f730cd69837b0291c7f7acfd794d60314655f4f90c77324619e2cd51a80
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/1620-56-0x0000000000230000-0x0000000000276000-memory.dmp family_onlylogger behavioral1/memory/1620-57-0x0000000000400000-0x0000000000C31000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 1384 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1300 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1300 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1620 wrote to memory of 1384 1620 a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe 26 PID 1620 wrote to memory of 1384 1620 a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe 26 PID 1620 wrote to memory of 1384 1620 a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe 26 PID 1620 wrote to memory of 1384 1620 a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe 26 PID 1384 wrote to memory of 1300 1384 cmd.exe 28 PID 1384 wrote to memory of 1300 1384 cmd.exe 28 PID 1384 wrote to memory of 1300 1384 cmd.exe 28 PID 1384 wrote to memory of 1300 1384 cmd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe"C:\Users\Admin\AppData\Local\Temp\a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-