onlylogger | 45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b

General

Target

45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
Size

434KB
MD5

bd9c163f9a299b73f0ba445823d2377e
SHA1

66789c2eeec3524beec9ca434d93dbc9fba1ceaf
SHA256

45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b
SHA512

51f6740a9e84d5de9963ef6cfb2f0e77a23847df9930484e9924104531ffadcc0aa08053faa24bfbefff16f97a299811e7cf2d18e98d57f35caf53ebbc7556fb

Score

10^/10

onlylogger loader

Malware Config

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3996-131-0x0000000000D10000-0x0000000000D59000-memory.dmp	family_onlylogger
behavioral2/memory/3996-132-0x0000000000400000-0x000000000089C000-memory.dmp	family_onlylogger
behavioral2/memory/3996-134-0x0000000000D10000-0x0000000000D59000-memory.dmp	family_onlylogger
behavioral2/memory/3996-138-0x0000000000400000-0x000000000089C000-memory.dmp	family_onlylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1724	3996	WerFault.exe	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
2204	3996	WerFault.exe	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
5040	3996	WerFault.exe	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
4672	3996	WerFault.exe	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
2196	3996	WerFault.exe	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
1604	3996	WerFault.exe	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
2912	3996	WerFault.exe	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
1760	3996	WerFault.exe	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3160 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3160 taskkill.exe

pid	process
3160	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3160	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.execmd.exe

description	pid	process	target process
PID 3996 wrote to memory of 3652	3996	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe	cmd.exe
PID 3996 wrote to memory of 3652	3996	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe	cmd.exe
PID 3996 wrote to memory of 3652	3996	45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe	cmd.exe
PID 3652 wrote to memory of 3160	3652	cmd.exe	taskkill.exe
PID 3652 wrote to memory of 3160	3652	cmd.exe	taskkill.exe
PID 3652 wrote to memory of 3160	3652	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe
"C:\Users\Admin\AppData\Local\Temp\45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 744
2⤵
- Program crash
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 796
2⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 856
2⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 800
2⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 956
2⤵
- Program crash
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 944
2⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 988
2⤵
- Program crash
PID:2912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "45cf856f06e0fa7ff0bf65c620d29b2ad7125efeaf9f0ef2dbd71eca7fb5683b.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1032
2⤵
- Program crash
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3996 -ip 3996
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3996 -ip 3996
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3996 -ip 3996
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3996 -ip 3996
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3996 -ip 3996
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3996 -ip 3996
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3996 -ip 3996
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3996 -ip 3996
1⤵
PID:3672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3160-136-0x0000000000000000-mapping.dmp

Download
memory/3652-135-0x0000000000000000-mapping.dmp

Download
memory/3996-130-0x0000000000C29000-0x0000000000C52000-memory.dmp

Filesize
164KB

Download
memory/3996-131-0x0000000000D10000-0x0000000000D59000-memory.dmp

Filesize
292KB

Download
memory/3996-132-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/3996-133-0x0000000000C29000-0x0000000000C52000-memory.dmp

Filesize
164KB

Download
memory/3996-134-0x0000000000D10000-0x0000000000D59000-memory.dmp

Filesize
292KB

Download
memory/3996-137-0x0000000000C29000-0x0000000000C52000-memory.dmp

Filesize
164KB

Download
memory/3996-138-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads