Analysis

  • max time kernel
    129s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-05-2022 02:40

General

  • Target

    89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe

  • Size

    312KB

  • MD5

    1ac7d60c72e8b77f9365c8e119eb675b

  • SHA1

    c8aba969c02188b754d752b0c6624d81b7ea2549

  • SHA256

    89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2

  • SHA512

    43a037dd388c56e48e8e9f08bbd78ec974f27e02089c2f488c96ed7aa74b48dc9a91eff53c902ec6597243ead7cdfb5b2f6ac5a704ccc410fed37ddb53607aad

Score
10/10

Malware Config

Signatures

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

  • OnlyLogger Payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 8 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe
    "C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 612
      2⤵
      • Program crash
      PID:5048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 632
      2⤵
      • Program crash
      PID:4596
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 724
      2⤵
      • Program crash
      PID:4640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 784
      2⤵
      • Program crash
      PID:936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 744
      2⤵
      • Program crash
      PID:740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1112
      2⤵
      • Program crash
      PID:4452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1240
      2⤵
      • Program crash
      PID:1892
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1408
      2⤵
      • Program crash
      PID:4648
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1928 -ip 1928
    1⤵
      PID:4176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1928 -ip 1928
      1⤵
        PID:3088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1928 -ip 1928
        1⤵
          PID:1664
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 1928
          1⤵
            PID:3964
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1928 -ip 1928
            1⤵
              PID:1116
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1928 -ip 1928
              1⤵
                PID:764
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1928 -ip 1928
                1⤵
                  PID:1856
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1928 -ip 1928
                  1⤵
                    PID:4288

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1928-130-0x0000000004F68000-0x0000000004F90000-memory.dmp

                    Filesize

                    160KB

                  • memory/1928-131-0x0000000006B30000-0x0000000006B76000-memory.dmp

                    Filesize

                    280KB

                  • memory/1928-132-0x0000000000400000-0x0000000004DCB000-memory.dmp

                    Filesize

                    73.8MB

                  • memory/4056-133-0x0000000000000000-mapping.dmp

                  • memory/5032-134-0x0000000000000000-mapping.dmp