onlylogger | 3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62

General

Target

3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
Size

435KB
MD5

c1fbe1e2fce911062f0d6b933e8689c3
SHA1

9d21b8582bbbecea6a67ce40906a975d99504b03
SHA256

3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62
SHA512

ba46705dfca8cb75707ca07b87f876a1217932522a7c14a69ccdc7822940aa8d9abdeeefba8517044d133b55041ecd8771c69c790b5ea2bc25e32fc1a1c69e3a

Score

10^/10

onlylogger loader

Malware Config

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1820-131-0x0000000000970000-0x00000000009B9000-memory.dmp	family_onlylogger
behavioral2/memory/1820-132-0x0000000000400000-0x000000000089C000-memory.dmp	family_onlylogger
behavioral2/memory/1820-135-0x0000000000400000-0x000000000089C000-memory.dmp	family_onlylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3452	1820	WerFault.exe	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
4208	1820	WerFault.exe	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
2040	1820	WerFault.exe	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
3820	1820	WerFault.exe	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
388	1820	WerFault.exe	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
960	1820	WerFault.exe	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
1996	1820	WerFault.exe	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
4512	1820	WerFault.exe	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4508 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4508 taskkill.exe

pid	process
4508	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4508	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.execmd.exe

description	pid	process	target process
PID 1820 wrote to memory of 4008	1820	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe	cmd.exe
PID 1820 wrote to memory of 4008	1820	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe	cmd.exe
PID 1820 wrote to memory of 4008	1820	3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe	cmd.exe
PID 4008 wrote to memory of 4508	4008	cmd.exe	taskkill.exe
PID 4008 wrote to memory of 4508	4008	cmd.exe	taskkill.exe
PID 4008 wrote to memory of 4508	4008	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe
"C:\Users\Admin\AppData\Local\Temp\3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 688
2⤵
- Program crash
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 764
2⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 760
2⤵
- Program crash
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 928
2⤵
- Program crash
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 944
2⤵
- Program crash
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 964
2⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 952
2⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "3c74459ec6c11dd5a32d154b27eed6b90c1359edd2edb9f662a5bf9f0e7faf62.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1132
2⤵
- Program crash
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1820 -ip 1820
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1820 -ip 1820
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1820 -ip 1820
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1820 -ip 1820
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1820 -ip 1820
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1820 -ip 1820
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1820 -ip 1820
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1820 -ip 1820
1⤵
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-130-0x0000000000BD3000-0x0000000000BFC000-memory.dmp

Filesize
164KB

Download
memory/1820-131-0x0000000000970000-0x00000000009B9000-memory.dmp

Filesize
292KB

Download
memory/1820-132-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/1820-135-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/4008-133-0x0000000000000000-mapping.dmp

Download
memory/4508-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads