Analysis
-
max time kernel
111s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 16:17
Static task
static1
Behavioral task
behavioral1
Sample
a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe
Resource
win10v2004-20220414-en
General
-
Target
a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe
-
Size
350KB
-
MD5
6559ad197f16d83cf36f61f415b4c72b
-
SHA1
9469bbd33c6109d88f5d2aabc26e70dbb3c77735
-
SHA256
a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033
-
SHA512
5e57fd30a452ce7025458f6bbfe43245a7e3c77eaa980ad48097c56c296cb65d77224f730cd69837b0291c7f7acfd794d60314655f4f90c77324619e2cd51a80
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral2/memory/4868-131-0x0000000002980000-0x00000000029C6000-memory.dmp family_onlylogger behavioral2/memory/4868-132-0x0000000000400000-0x0000000000C31000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
pid pid_target Process procid_target 208 4868 WerFault.exe 83 5020 4868 WerFault.exe 83 4940 4868 WerFault.exe 83 4768 4868 WerFault.exe 83 4168 4868 WerFault.exe 83 4924 4868 WerFault.exe 83 2672 4868 WerFault.exe 83 1200 4868 WerFault.exe 83 -
Kills process with taskkill 1 IoCs
pid Process 1484 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1484 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4868 wrote to memory of 2612 4868 a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe 98 PID 4868 wrote to memory of 2612 4868 a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe 98 PID 4868 wrote to memory of 2612 4868 a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe 98 PID 2612 wrote to memory of 1484 2612 cmd.exe 102 PID 2612 wrote to memory of 1484 2612 cmd.exe 102 PID 2612 wrote to memory of 1484 2612 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe"C:\Users\Admin\AppData\Local\Temp\a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 6282⤵
- Program crash
PID:208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 6482⤵
- Program crash
PID:5020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 5082⤵
- Program crash
PID:4940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 6322⤵
- Program crash
PID:4768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 8762⤵
- Program crash
PID:4168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 10802⤵
- Program crash
PID:4924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 12402⤵
- Program crash
PID:2672
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "a1c6482b09a88afc310e669271bd2b18214cd462e69394d65375452c77ae9033.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 13762⤵
- Program crash
PID:1200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4868 -ip 48681⤵PID:1844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4868 -ip 48681⤵PID:1556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4868 -ip 48681⤵PID:5048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4868 -ip 48681⤵PID:3704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4868 -ip 48681⤵PID:4144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4868 -ip 48681⤵PID:4908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4868 -ip 48681⤵PID:1480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4868 -ip 48681⤵PID:2408