onlylogger | 7a946e218596327b5ed8fe58098c90b21d4f840326df156bc6d8bc4c77f7e34b | Triage

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-06-2022 19:05

Sharing

Report Analysis Logs

General

Target

new.exe
Size

593KB
MD5

6497af8b5878c53da45850422f66ac55
SHA1

f7de7985da6bddf37f4f8e53b079d130a5c1416a
SHA256

7a946e218596327b5ed8fe58098c90b21d4f840326df156bc6d8bc4c77f7e34b
SHA512

243fcea551926b191242424bb2c0f337e4b7a85ab3bc07d8e780f03ddc49e834e312a748953d12a87ba0b1f68567abf7c8cce4b5987d9e75d76e751f8dd47e5f

Score

10^/10

onlylogger loader

Malware Config

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4992-131-0x0000000002350000-0x000000000237D000-memory.dmp	family_onlylogger
behavioral1/memory/4992-132-0x0000000000400000-0x0000000000858000-memory.dmp	family_onlylogger

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2192	4992	WerFault.exe	new.exe
1524	4992	WerFault.exe	new.exe
4304	4992	WerFault.exe	new.exe
1972	4992	WerFault.exe	new.exe
3984	4992	WerFault.exe	new.exe
4308	4992	WerFault.exe	new.exe
224	4992	WerFault.exe	new.exe
3800	4992	WerFault.exe	new.exe

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 620
2⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 660
2⤵
- Program crash
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 672
2⤵
- Program crash
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 784
2⤵
- Program crash
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 824
2⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 808
2⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 900
2⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 20180
2⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4992 -ip 4992
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4992 -ip 4992
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4992 -ip 4992
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4992 -ip 4992
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4992 -ip 4992
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4992 -ip 4992
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4992 -ip 4992
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4992 -ip 4992
1⤵
PID:1812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4992-130-0x00000000009C9000-0x00000000009E4000-memory.dmp

Filesize
108KB

Download
memory/4992-131-0x0000000002350000-0x000000000237D000-memory.dmp

Filesize
180KB

Download
memory/4992-132-0x0000000000400000-0x0000000000858000-memory.dmp

Filesize
4.3MB

Download
memory/4992-133-0x00000000009C9000-0x00000000009E4000-memory.dmp

Filesize
108KB

Download