Analysis
-
max time kernel
146s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 02:40
Static task
static1
Behavioral task
behavioral1
Sample
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe
Resource
win10v2004-20220414-en
General
-
Target
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe
-
Size
228KB
-
MD5
824d13b6e398268665ef821d69bc2725
-
SHA1
b49ed939e73ff6d031591a6c6f937b3f1d55acdf
-
SHA256
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b
-
SHA512
deb82aeb06d4651f758e5b8de11f7a6722bf6658c83a954d97ecbc87ea6c570b9b0303ac8109b228b39e275b5876a3070a924cb057c3ee9d96ba146aa87297ee
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4860-131-0x0000000002D50000-0x0000000002D96000-memory.dmp family_onlylogger behavioral2/memory/4860-132-0x0000000000400000-0x0000000000F96000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 1384 4860 WerFault.exe 79 5084 4860 WerFault.exe 79 2300 4860 WerFault.exe 79 4944 4860 WerFault.exe 79 5088 4860 WerFault.exe 79 4976 4860 WerFault.exe 79 4836 4860 WerFault.exe 79 2972 4860 WerFault.exe 79 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 3756 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 3756 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.execmd.exedescription pid Process procid_target PID 4860 wrote to memory of 2896 4860 e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe 103 PID 4860 wrote to memory of 2896 4860 e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe 103 PID 4860 wrote to memory of 2896 4860 e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe 103 PID 2896 wrote to memory of 3756 2896 cmd.exe 106 PID 2896 wrote to memory of 3756 2896 cmd.exe 106 PID 2896 wrote to memory of 3756 2896 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe"C:\Users\Admin\AppData\Local\Temp\e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 6122⤵
- Program crash
PID:1384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 6202⤵
- Program crash
PID:5084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 7362⤵
- Program crash
PID:2300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 7442⤵
- Program crash
PID:4944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 8722⤵
- Program crash
PID:5088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 10922⤵
- Program crash
PID:4976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 12362⤵
- Program crash
PID:4836
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "e2eb5aa43cc071dfbfc438623729d0ccc6d4510cba1e729271ac9753e1fefc5b.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 12402⤵
- Program crash
PID:2972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4860 -ip 48601⤵PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4860 -ip 48601⤵PID:644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4860 -ip 48601⤵PID:2448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4860 -ip 48601⤵PID:2264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4860 -ip 48601⤵PID:4872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4860 -ip 48601⤵PID:3576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4860 -ip 48601⤵PID:4312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4860 -ip 48601⤵PID:1960