Analysis
-
max time kernel
78s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 02:40
Static task
static1
Behavioral task
behavioral1
Sample
8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe
Resource
win10v2004-20220414-en
General
-
Target
8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe
-
Size
323KB
-
MD5
d83653278606c5f648c78ad1b6555c64
-
SHA1
8446eca4631b6153560ad382f63274649e7426b3
-
SHA256
8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0
-
SHA512
3ffdb5d5102db1d4e7b4c4e4f3cdb095dfa446cec8c22fc1707e3983b3bd39d85d33ff48d1a163a69ab81c3598d31188c1aee612b6cb1ec69016f768debce89e
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-56-0x0000000000230000-0x0000000000276000-memory.dmp family_onlylogger behavioral1/memory/1324-57-0x0000000000400000-0x0000000004DCD000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 956 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2016 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 2016 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.execmd.exedescription pid Process procid_target PID 1324 wrote to memory of 956 1324 8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe 28 PID 1324 wrote to memory of 956 1324 8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe 28 PID 1324 wrote to memory of 956 1324 8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe 28 PID 1324 wrote to memory of 956 1324 8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe 28 PID 956 wrote to memory of 2016 956 cmd.exe 30 PID 956 wrote to memory of 2016 956 cmd.exe 30 PID 956 wrote to memory of 2016 956 cmd.exe 30 PID 956 wrote to memory of 2016 956 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe"C:\Users\Admin\AppData\Local\Temp\8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "8a247a04783a7f2c1bda188afc2193a523001e698543fc3175375767833f66a0.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-