Analysis
-
max time kernel
40s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 07:26
Static task
static1
Behavioral task
behavioral1
Sample
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe
Resource
win10v2004-20220414-en
General
-
Target
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe
-
Size
442KB
-
MD5
5b94d54679128d9eca615d310b94fedf
-
SHA1
52f735724d34f8036b9f3cb9b26521172fe6b7d1
-
SHA256
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0
-
SHA512
059d5708658adef150a3a22eec6f31aa5d3b7b7f0c1e0639dd919c590ea04cdcf31f4a444ebbbbacc1af70ddd46ede90f9b4311c67e2046c11c1cc9adf805e22
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-56-0x00000000023B0000-0x00000000023F6000-memory.dmp family_onlylogger behavioral1/memory/1612-57-0x0000000000400000-0x0000000000C4B000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2032 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1988 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 1988 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.execmd.exedescription pid Process procid_target PID 1612 wrote to memory of 2032 1612 94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe 28 PID 1612 wrote to memory of 2032 1612 94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe 28 PID 1612 wrote to memory of 2032 1612 94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe 28 PID 1612 wrote to memory of 2032 1612 94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe 28 PID 2032 wrote to memory of 1988 2032 cmd.exe 30 PID 2032 wrote to memory of 1988 2032 cmd.exe 30 PID 2032 wrote to memory of 1988 2032 cmd.exe 30 PID 2032 wrote to memory of 1988 2032 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe"C:\Users\Admin\AppData\Local\Temp\94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-