Analysis Overview
SHA256
0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c
Threat Level: Known bad
The file 0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c was found to be: Known bad.
Malicious Activity Summary
OnlyLogger
OnlyLogger Payload
Program crash
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-29 20:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-29 20:38
Reported
2022-05-29 20:43
Platform
win7-20220414-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
OnlyLogger
OnlyLogger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
"C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
Files
memory/1932-54-0x00000000757C1000-0x00000000757C3000-memory.dmp
memory/1932-56-0x00000000002D0000-0x0000000000313000-memory.dmp
memory/1932-55-0x0000000002BFD000-0x0000000002C24000-memory.dmp
memory/1932-57-0x0000000000400000-0x0000000002B34000-memory.dmp
memory/1932-58-0x0000000000400000-0x0000000002B34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-29 20:38
Reported
2022-05-29 20:43
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
155s
Command Line
Signatures
OnlyLogger
OnlyLogger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
Processes
C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe
"C:\Users\Admin\AppData\Local\Temp\0d6d6ee1d3cc27a81e171ff9d95e68ba27654891ce4b9f492d926eb695e8421c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1536
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.192:80 | tcp | |
| NL | 88.221.144.192:80 | tcp | |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
| US | 8.8.8.8:53 | ads-memory.biz | udp |
Files
memory/4280-130-0x0000000002E4E000-0x0000000002E75000-memory.dmp
memory/4280-131-0x00000000048D0000-0x0000000004913000-memory.dmp
memory/4280-132-0x0000000000400000-0x0000000002B34000-memory.dmp
memory/4280-133-0x0000000002E4E000-0x0000000002E75000-memory.dmp
memory/4280-134-0x00000000048D0000-0x0000000004913000-memory.dmp