Analysis

  • max time kernel
    142s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 12:00

General

  • Target

    bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe

  • Size

    249KB

  • MD5

    325ad9cb87d12330e7fc94507282f799

  • SHA1

    7e34a218700dcfc430a631cf64c72e9f0d2d39f7

  • SHA256

    bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30

  • SHA512

    47e75f47147dc919e808f70182decee3c3ee25391ad4a9672dc4fac88dbc80e684e53beba9afdb7946b019a6a623ab1f6012cba9265a178da52724cfa333a5e4

Score
10/10

Malware Config

Signatures

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

  • OnlyLogger Payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 8 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe
    "C:\Users\Admin\AppData\Local\Temp\bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 612
      2⤵
      • Program crash
      PID:1592
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 648
      2⤵
      • Program crash
      PID:2700
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 740
      2⤵
      • Program crash
      PID:4640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 748
      2⤵
      • Program crash
      PID:3840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 748
      2⤵
      • Program crash
      PID:4784
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1172
      2⤵
      • Program crash
      PID:4356
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1228
      2⤵
      • Program crash
      PID:4128
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "bac663f2a8d3a67131c6098f1864cbdd03eacee21b66a20591980f01456cab30.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1172
      2⤵
      • Program crash
      PID:4168
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1444 -ip 1444
    1⤵
      PID:4704
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1444 -ip 1444
      1⤵
        PID:720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1444 -ip 1444
        1⤵
          PID:4736
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1444 -ip 1444
          1⤵
            PID:4556
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1444 -ip 1444
            1⤵
              PID:4156
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1444 -ip 1444
              1⤵
                PID:4180
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1444 -ip 1444
                1⤵
                  PID:2416
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1444 -ip 1444
                  1⤵
                    PID:516

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1444-131-0x0000000001283000-0x00000000012AB000-memory.dmp

                    Filesize

                    160KB

                  • memory/1444-132-0x00000000010A0000-0x00000000010E6000-memory.dmp

                    Filesize

                    280KB

                  • memory/1444-133-0x0000000000400000-0x0000000000F9C000-memory.dmp

                    Filesize

                    11.6MB

                  • memory/2336-135-0x0000000000000000-mapping.dmp

                  • memory/4768-134-0x0000000000000000-mapping.dmp