Analysis
-
max time kernel
36s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 10:45
Static task
static1
Behavioral task
behavioral1
Sample
45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
Resource
win10v2004-20220414-en
General
-
Target
45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
-
Size
434KB
-
MD5
bd9c163f9a299b73f0ba445823d2377e
-
SHA1
66789c2eeec3524beec9ca434d93dbc9fba1ceaf
-
SHA256
45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b
-
SHA512
51f6740a9e84d5de9963ef6cfb2f0e77a23847df9930484e9924104531ffadcc0aa08053faa24bfbefff16f97a299811e7cf2d18e98d57f35caf53ebbc7556fb
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-57-0x0000000000220000-0x0000000000269000-memory.dmp family_onlylogger behavioral1/memory/1280-60-0x0000000000400000-0x000000000089C000-memory.dmp family_onlylogger behavioral1/memory/1280-62-0x0000000000400000-0x000000000089C000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1640 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1500 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1500 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.execmd.exedescription pid process target process PID 1280 wrote to memory of 1640 1280 45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe cmd.exe PID 1280 wrote to memory of 1640 1280 45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe cmd.exe PID 1280 wrote to memory of 1640 1280 45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe cmd.exe PID 1280 wrote to memory of 1640 1280 45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe cmd.exe PID 1640 wrote to memory of 1500 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 1500 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 1500 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 1500 1640 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe"C:\Users\Admin\AppData\Local\Temp\45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1280-54-0x0000000000A59000-0x0000000000A82000-memory.dmpFilesize
164KB
-
memory/1280-55-0x00000000756E1000-0x00000000756E3000-memory.dmpFilesize
8KB
-
memory/1280-56-0x0000000000A59000-0x0000000000A82000-memory.dmpFilesize
164KB
-
memory/1280-57-0x0000000000220000-0x0000000000269000-memory.dmpFilesize
292KB
-
memory/1280-59-0x0000000000A59000-0x0000000000A82000-memory.dmpFilesize
164KB
-
memory/1280-60-0x0000000000400000-0x000000000089C000-memory.dmpFilesize
4.6MB
-
memory/1280-62-0x0000000000400000-0x000000000089C000-memory.dmpFilesize
4.6MB
-
memory/1500-61-0x0000000000000000-mapping.dmp
-
memory/1640-58-0x0000000000000000-mapping.dmp