Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 07:26
Static task
static1
Behavioral task
behavioral1
Sample
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe
Resource
win10v2004-20220414-en
General
-
Target
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe
-
Size
442KB
-
MD5
5b94d54679128d9eca615d310b94fedf
-
SHA1
52f735724d34f8036b9f3cb9b26521172fe6b7d1
-
SHA256
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0
-
SHA512
059d5708658adef150a3a22eec6f31aa5d3b7b7f0c1e0639dd919c590ea04cdcf31f4a444ebbbbacc1af70ddd46ede90f9b4311c67e2046c11c1cc9adf805e22
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2604-131-0x0000000002980000-0x00000000029C6000-memory.dmp family_onlylogger behavioral2/memory/2604-132-0x0000000000400000-0x0000000000C4B000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 4956 2604 WerFault.exe 81 2612 2604 WerFault.exe 81 4664 2604 WerFault.exe 81 1956 2604 WerFault.exe 81 4232 2604 WerFault.exe 81 540 2604 WerFault.exe 81 3220 2604 WerFault.exe 81 1616 2604 WerFault.exe 81 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 4988 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 4988 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.execmd.exedescription pid Process procid_target PID 2604 wrote to memory of 3852 2604 94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe 105 PID 2604 wrote to memory of 3852 2604 94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe 105 PID 2604 wrote to memory of 3852 2604 94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe 105 PID 3852 wrote to memory of 4988 3852 cmd.exe 109 PID 3852 wrote to memory of 4988 3852 cmd.exe 109 PID 3852 wrote to memory of 4988 3852 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe"C:\Users\Admin\AppData\Local\Temp\94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 6162⤵
- Program crash
PID:4956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 6242⤵
- Program crash
PID:2612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 6242⤵
- Program crash
PID:4664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 7922⤵
- Program crash
PID:1956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 8482⤵
- Program crash
PID:4232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 10802⤵
- Program crash
PID:540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 8082⤵
- Program crash
PID:3220
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "94a169116f328f6c59a5d90eaa87e070fadf47211b66c246c93d513550eb5ce0.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 14162⤵
- Program crash
PID:1616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2604 -ip 26041⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2604 -ip 26041⤵PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2604 -ip 26041⤵PID:4696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2604 -ip 26041⤵PID:4684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2604 -ip 26041⤵PID:4424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2604 -ip 26041⤵PID:3028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2604 -ip 26041⤵PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2604 -ip 26041⤵PID:3308