Analysis
-
max time kernel
29s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 16:17
Static task
static1
Behavioral task
behavioral1
Sample
6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe
Resource
win10v2004-20220310-en
General
-
Target
6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe
-
Size
350KB
-
MD5
b7aa434f62f1847eaeb0b701347546f1
-
SHA1
c66226b76614a713dbc1d0cf6f9be60f7ad64a09
-
SHA256
6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf
-
SHA512
91f5af0a27fe0da621bea3f0df65df85d2865f4595c0593a2abdd7259b06a5927762e118767ee737fbfdf1f57370b7c450e312e4fb7c694281cb33dd041a76ac
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/1212-57-0x00000000002B0000-0x00000000002F6000-memory.dmp family_onlylogger behavioral1/memory/1212-58-0x0000000000400000-0x0000000000C31000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 1528 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1660 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1660 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1528 1212 6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe 28 PID 1212 wrote to memory of 1528 1212 6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe 28 PID 1212 wrote to memory of 1528 1212 6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe 28 PID 1212 wrote to memory of 1528 1212 6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe 28 PID 1528 wrote to memory of 1660 1528 cmd.exe 30 PID 1528 wrote to memory of 1660 1528 cmd.exe 30 PID 1528 wrote to memory of 1660 1528 cmd.exe 30 PID 1528 wrote to memory of 1660 1528 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe"C:\Users\Admin\AppData\Local\Temp\6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "6a17b916e9b803172fcb07e0763b7ff42300648d7a9e604a47bd3dd0d02b85cf.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-