Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 02:40
Static task
static1
Behavioral task
behavioral1
Sample
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe
Resource
win10v2004-20220414-en
General
-
Target
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe
-
Size
228KB
-
MD5
824d13b6e398268665ef821d69bc2725
-
SHA1
b49ed939e73ff6d031591a6c6f937b3f1d55acdf
-
SHA256
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b
-
SHA512
deb82aeb06d4651f758e5b8de11f7a6722bf6658c83a954d97ecbc87ea6c570b9b0303ac8109b228b39e275b5876a3070a924cb057c3ee9d96ba146aa87297ee
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1688-56-0x0000000000230000-0x0000000000276000-memory.dmp family_onlylogger behavioral1/memory/1688-57-0x0000000000400000-0x0000000000F96000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1996 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 1304 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 1304 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.execmd.exedescription pid Process procid_target PID 1688 wrote to memory of 1996 1688 e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe 27 PID 1688 wrote to memory of 1996 1688 e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe 27 PID 1688 wrote to memory of 1996 1688 e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe 27 PID 1688 wrote to memory of 1996 1688 e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe 27 PID 1996 wrote to memory of 1304 1996 cmd.exe 29 PID 1996 wrote to memory of 1304 1996 cmd.exe 29 PID 1996 wrote to memory of 1304 1996 cmd.exe 29 PID 1996 wrote to memory of 1304 1996 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe"C:\Users\Admin\AppData\Local\Temp\e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-