Analysis
-
max time kernel
38s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe
Resource
win10v2004-20220414-en
General
-
Target
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe
-
Size
228KB
-
MD5
c167956e7b3bcb9087c0f740f3c3f167
-
SHA1
cf449afc6f00a8414eb108d3c38b2f3749475e4e
-
SHA256
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7
-
SHA512
66d2bfbf09b12ef5081e3351f070db3d43b1db4c0e8c6938eca1fd0382ca703ff6a67ef46a92a2cc7f752213fd7d0c9eaeceefef744753a325e8b518d45f4a3b
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-57-0x00000000002C0000-0x0000000000306000-memory.dmp family_onlylogger behavioral1/memory/1748-58-0x0000000000400000-0x0000000000F96000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1404 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1828 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 1828 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.execmd.exedescription pid Process procid_target PID 1748 wrote to memory of 1404 1748 fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe 28 PID 1748 wrote to memory of 1404 1748 fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe 28 PID 1748 wrote to memory of 1404 1748 fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe 28 PID 1748 wrote to memory of 1404 1748 fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe 28 PID 1404 wrote to memory of 1828 1404 cmd.exe 30 PID 1404 wrote to memory of 1828 1404 cmd.exe 30 PID 1404 wrote to memory of 1828 1404 cmd.exe 30 PID 1404 wrote to memory of 1828 1404 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe"C:\Users\Admin\AppData\Local\Temp\fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-