Analysis

  • max time kernel
    199s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-05-2022 21:52

General

  • Target

    040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe

  • Size

    228KB

  • MD5

    25ffd014be7d902150585bf3c615929a

  • SHA1

    19a8715cda81e2fa304783dd6fa6eea56e9a4638

  • SHA256

    040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e

  • SHA512

    9f00bfe4831b33223b571c871294b680707620ae9b7bf78d87dbd959e279d794125e0ff90891f936391489243591491304efb5fa801cb80bd2a38fbae12152a9

Score
10/10

Malware Config

Signatures

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

  • OnlyLogger Payload 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe
    "C:\Users\Admin\AppData\Local\Temp\040935ba44fc55d20289081bd1089cb8221f8f317b9ff1679048f7cd262b331e.exe"
    1⤵
      PID:1396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 616
        2⤵
        • Program crash
        PID:4980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 656
        2⤵
        • Program crash
        PID:4304
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 648
        2⤵
        • Program crash
        PID:5008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 640
        2⤵
        • Program crash
        PID:2376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 752
        2⤵
        • Program crash
        PID:4996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1180
        2⤵
        • Program crash
        PID:1808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1188
        2⤵
        • Program crash
        PID:3888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1396 -ip 1396
      1⤵
        PID:1348
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1396 -ip 1396
        1⤵
          PID:1772
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1396 -ip 1396
          1⤵
            PID:4680
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1396 -ip 1396
            1⤵
              PID:4152
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1396 -ip 1396
              1⤵
                PID:2248
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1396 -ip 1396
                1⤵
                  PID:2112
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1396 -ip 1396
                  1⤵
                    PID:3200

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1396-131-0x0000000001070000-0x00000000010B6000-memory.dmp

                    Filesize

                    280KB

                  • memory/1396-130-0x00000000012C3000-0x00000000012EB000-memory.dmp

                    Filesize

                    160KB

                  • memory/1396-132-0x0000000000400000-0x0000000000F96000-memory.dmp

                    Filesize

                    11.6MB