Malware Analysis Report

2024-12-08 02:24

Sample ID 220529-zer4bsdcap
Target 0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c
SHA256 0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c
Tags
onlylogger loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c

Threat Level: Known bad

The file 0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c was found to be: Known bad.

Malicious Activity Summary

onlylogger loader

OnlyLogger

OnlyLogger Payload

Program crash

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-29 20:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-29 20:38

Reported

2022-05-29 20:43

Platform

win7-20220414-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe"

Signatures

OnlyLogger

loader onlylogger

OnlyLogger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe

"C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 ads-memory.biz udp

Files

memory/1932-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

memory/1932-56-0x00000000002D0000-0x0000000000313000-memory.dmp

memory/1932-55-0x0000000002BFD000-0x0000000002C24000-memory.dmp

memory/1932-57-0x0000000000400000-0x0000000002B34000-memory.dmp

memory/1932-58-0x0000000000400000-0x0000000002B34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-29 20:38

Reported

2022-05-29 20:43

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe"

Signatures

OnlyLogger

loader onlylogger

OnlyLogger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe

"C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4280 -ip 4280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1536

Network

Country Destination Domain Proto
NL 88.221.144.192:80 tcp
NL 88.221.144.192:80 tcp
US 8.8.8.8:53 appwebstat.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp
US 8.8.8.8:53 ads-memory.biz udp

Files

memory/4280-130-0x0000000002E4E000-0x0000000002E75000-memory.dmp

memory/4280-131-0x00000000048D0000-0x0000000004913000-memory.dmp

memory/4280-132-0x0000000000400000-0x0000000002B34000-memory.dmp

memory/4280-133-0x0000000002E4E000-0x0000000002E75000-memory.dmp

memory/4280-134-0x00000000048D0000-0x0000000004913000-memory.dmp