onlylogger | 4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad | Triage

Analysis

max time kernel
190s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-07-2022 11:54

Sharing

Report Analysis Logs

General

Target

4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
Size

433KB
MD5

789642b1d784a05de91de6f74a2e61ba
SHA1

82a27918673c1c0a41e9739f0f41ca25620ed9e7
SHA256

4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad
SHA512

59f703572b07431298eceda28d8195c00b61c9b6afe9a2477fe605400166be60f4281a4c48dd1e9ffad90eea7aa7da5d31638cb3235056f403b85f5dfa1d1cd5

Score

10^/10

onlylogger loader

Malware Config

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3776-132-0x00000000048B0000-0x00000000048F4000-memory.dmp	family_onlylogger
behavioral2/memory/3776-133-0x0000000000400000-0x0000000002B34000-memory.dmp	family_onlylogger

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4060	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
2832	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
4700	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
4644	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
4556	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
2824	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
2400	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
4440	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
428	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
3908	3776	WerFault.exe	4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe

C:\Users\Admin\AppData\Local\Temp\4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe
"C:\Users\Admin\AppData\Local\Temp\4ad959759e71a47614f6059dcc8ec03ddd0cfda08b2f37a7d842277bebb422ad.exe"
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 624
2⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 664
2⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 672
2⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 628
2⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1008
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1016
2⤵
- Program crash
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1296
2⤵
- Program crash
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1988
2⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 536
2⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 632
2⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3776 -ip 3776
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3776 -ip 3776
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3776 -ip 3776
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3776 -ip 3776
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3776 -ip 3776
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3776 -ip 3776
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3776 -ip 3776
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3776 -ip 3776
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3776 -ip 3776
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3776 -ip 3776
1⤵
PID:820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3776-132-0x00000000048B0000-0x00000000048F4000-memory.dmp

Filesize
272KB

Download
memory/3776-131-0x0000000002CEE000-0x0000000002D16000-memory.dmp

Filesize
160KB

Download
memory/3776-133-0x0000000000400000-0x0000000002B34000-memory.dmp

Filesize
39.2MB

Download
memory/3776-134-0x0000000002CEE000-0x0000000002D16000-memory.dmp

Filesize
160KB

Download