Analysis
-
max time kernel
129s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 02:40
Static task
static1
Behavioral task
behavioral1
Sample
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe
Resource
win10v2004-20220414-en
General
-
Target
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe
-
Size
312KB
-
MD5
1ac7d60c72e8b77f9365c8e119eb675b
-
SHA1
c8aba969c02188b754d752b0c6624d81b7ea2549
-
SHA256
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2
-
SHA512
43a037dd388c56e48e8e9f08bbd78ec974f27e02089c2f488c96ed7aa74b48dc9a91eff53c902ec6597243ead7cdfb5b2f6ac5a704ccc410fed37ddb53607aad
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1928-131-0x0000000006B30000-0x0000000006B76000-memory.dmp family_onlylogger behavioral2/memory/1928-132-0x0000000000400000-0x0000000004DCB000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 5048 1928 WerFault.exe 82 4596 1928 WerFault.exe 82 4640 1928 WerFault.exe 82 936 1928 WerFault.exe 82 740 1928 WerFault.exe 82 4452 1928 WerFault.exe 82 1892 1928 WerFault.exe 82 4648 1928 WerFault.exe 82 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 5032 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 5032 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.execmd.exedescription pid Process procid_target PID 1928 wrote to memory of 4056 1928 89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe 104 PID 1928 wrote to memory of 4056 1928 89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe 104 PID 1928 wrote to memory of 4056 1928 89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe 104 PID 4056 wrote to memory of 5032 4056 cmd.exe 108 PID 4056 wrote to memory of 5032 4056 cmd.exe 108 PID 4056 wrote to memory of 5032 4056 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe"C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 6122⤵
- Program crash
PID:5048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 6322⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7242⤵
- Program crash
PID:4640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7842⤵
- Program crash
PID:936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7442⤵
- Program crash
PID:740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 11122⤵
- Program crash
PID:4452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 12402⤵
- Program crash
PID:1892
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "89b9116e5a46daeb299bd90628afd8fc484581e53c31f71e3fac81b009a238c2.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 14082⤵
- Program crash
PID:4648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1928 -ip 19281⤵PID:4176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1928 -ip 19281⤵PID:3088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1928 -ip 19281⤵PID:1664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 19281⤵PID:3964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1928 -ip 19281⤵PID:1116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1928 -ip 19281⤵PID:764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1928 -ip 19281⤵PID:1856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1928 -ip 19281⤵PID:4288