Analysis
-
max time kernel
188s -
max time network
243s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe
Resource
win10v2004-20220414-en
General
-
Target
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe
-
Size
228KB
-
MD5
c167956e7b3bcb9087c0f740f3c3f167
-
SHA1
cf449afc6f00a8414eb108d3c38b2f3749475e4e
-
SHA256
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7
-
SHA512
66d2bfbf09b12ef5081e3351f070db3d43b1db4c0e8c6938eca1fd0382ca703ff6a67ef46a92a2cc7f752213fd7d0c9eaeceefef744753a325e8b518d45f4a3b
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3472-131-0x0000000000FA0000-0x0000000000FE6000-memory.dmp family_onlylogger behavioral2/memory/3472-132-0x0000000000400000-0x0000000000F96000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2932 3472 WerFault.exe 79 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2096 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 2096 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.execmd.exedescription pid Process procid_target PID 3472 wrote to memory of 2132 3472 fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe 81 PID 3472 wrote to memory of 2132 3472 fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe 81 PID 3472 wrote to memory of 2132 3472 fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe 81 PID 2132 wrote to memory of 2096 2132 cmd.exe 84 PID 2132 wrote to memory of 2096 2132 cmd.exe 84 PID 2132 wrote to memory of 2096 2132 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe"C:\Users\Admin\AppData\Local\Temp\fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "fb967b582dc38a1ba32d719beef322ffc90d82fd529b9fe280e8bfdaf2058de7.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 12762⤵
- Program crash
PID:2932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3472 -ip 34721⤵PID:4836