Analysis
-
max time kernel
142s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 12:00
Static task
static1
Behavioral task
behavioral1
Sample
bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe
Resource
win10v2004-20220414-en
General
-
Target
bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe
-
Size
249KB
-
MD5
325ad9cb87d12330e7fc94507282f799
-
SHA1
7e34a218700dcfc430a631cf64c72e9f0d2d39f7
-
SHA256
bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30
-
SHA512
47e75f47147dc919e808f70182decee3c3ee25391ad4a9672dc4fac88dbc80e684e53beba9afdb7946b019a6a623ab1f6012cba9265a178da52724cfa333a5e4
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1444-132-0x00000000010A0000-0x00000000010E6000-memory.dmp family_onlylogger behavioral2/memory/1444-133-0x0000000000400000-0x0000000000F9C000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 1592 1444 WerFault.exe 82 2700 1444 WerFault.exe 82 4640 1444 WerFault.exe 82 3840 1444 WerFault.exe 82 4784 1444 WerFault.exe 82 4356 1444 WerFault.exe 82 4128 1444 WerFault.exe 82 4168 1444 WerFault.exe 82 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2336 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid Process Token: SeDebugPrivilege 2336 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.execmd.exedescription pid Process procid_target PID 1444 wrote to memory of 4768 1444 bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe 99 PID 1444 wrote to memory of 4768 1444 bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe 99 PID 1444 wrote to memory of 4768 1444 bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe 99 PID 4768 wrote to memory of 2336 4768 cmd.exe 103 PID 4768 wrote to memory of 2336 4768 cmd.exe 103 PID 4768 wrote to memory of 2336 4768 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe"C:\Users\Admin\AppData\Local\Temp\bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 6122⤵
- Program crash
PID:1592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 6482⤵
- Program crash
PID:2700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 7402⤵
- Program crash
PID:4640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 7482⤵
- Program crash
PID:3840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 7482⤵
- Program crash
PID:4784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 11722⤵
- Program crash
PID:4356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 12282⤵
- Program crash
PID:4128
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 11722⤵
- Program crash
PID:4168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1444 -ip 14441⤵PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1444 -ip 14441⤵PID:720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1444 -ip 14441⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1444 -ip 14441⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1444 -ip 14441⤵PID:4156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1444 -ip 14441⤵PID:4180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1444 -ip 14441⤵PID:2416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1444 -ip 14441⤵PID:516