Analysis
-
max time kernel
62s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-05-2022 21:52
Static task
static1
Behavioral task
behavioral1
Sample
040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe
Resource
win10v2004-20220414-en
General
-
Target
040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe
-
Size
228KB
-
MD5
25ffd014be7d902150585bf3c615929a
-
SHA1
19a8715cda81e2fa304783dd6fa6eea56e9a4638
-
SHA256
040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e
-
SHA512
9f00bfe4831b33223b571c871294b680707620ae9b7bf78d87dbd959e279d794125e0ff90891f936391489243591491304efb5fa801cb80bd2a38fbae12152a9
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1900-57-0x00000000001B0000-0x00000000001F6000-memory.dmp family_onlylogger behavioral1/memory/1900-58-0x0000000000400000-0x0000000000F96000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1664 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1488 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 1488 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.execmd.exedescription pid Process procid_target PID 1900 wrote to memory of 1664 1900 040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe 27 PID 1900 wrote to memory of 1664 1900 040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe 27 PID 1900 wrote to memory of 1664 1900 040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe 27 PID 1900 wrote to memory of 1664 1900 040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe 27 PID 1664 wrote to memory of 1488 1664 cmd.exe 29 PID 1664 wrote to memory of 1488 1664 cmd.exe 29 PID 1664 wrote to memory of 1488 1664 cmd.exe 29 PID 1664 wrote to memory of 1488 1664 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe"C:\Users\Admin\AppData\Local\Temp\040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-