Analysis
-
max time kernel
100s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 02:40
Static task
static1
Behavioral task
behavioral1
Sample
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe
Resource
win10v2004-20220414-en
General
-
Target
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe
-
Size
312KB
-
MD5
1ac7d60c72e8b77f9365c8e119eb675b
-
SHA1
c8aba969c02188b754d752b0c6624d81b7ea2549
-
SHA256
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2
-
SHA512
43a037dd388c56e48e8e9f08bbd78ec974f27e02089c2f488c96ed7aa74b48dc9a91eff53c902ec6597243ead7cdfb5b2f6ac5a704ccc410fed37ddb53607aad
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/960-56-0x0000000000220000-0x0000000000266000-memory.dmp family_onlylogger behavioral1/memory/960-57-0x0000000000400000-0x0000000004DCB000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1968 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1648 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 1648 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.execmd.exedescription pid Process procid_target PID 960 wrote to memory of 1968 960 89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe 27 PID 960 wrote to memory of 1968 960 89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe 27 PID 960 wrote to memory of 1968 960 89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe 27 PID 960 wrote to memory of 1968 960 89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe 27 PID 1968 wrote to memory of 1648 1968 cmd.exe 29 PID 1968 wrote to memory of 1648 1968 cmd.exe 29 PID 1968 wrote to memory of 1648 1968 cmd.exe 29 PID 1968 wrote to memory of 1648 1968 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe"C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-