Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
18-07-2022 23:39
Static task
static1
Behavioral task
behavioral1
Sample
5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe
Resource
win10v2004-20220414-en
General
-
Target
5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe
-
Size
435KB
-
MD5
745e587c3cf97e13028cb0dea38d7e8f
-
SHA1
f046ffbc0f66c24d075100862c82c99e61958f62
-
SHA256
5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a
-
SHA512
9a339d0e9fd5dac834b80314e3390ebb4cc5dc48848a9f9fdd647d4c543de275bef010c01d34af1264fd111d8be650d388c4a3aa4efc7fb43d23c9e1ef1f19a8
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-58-0x00000000002A0000-0x00000000002E9000-memory.dmp family_onlylogger behavioral1/memory/1660-59-0x0000000000400000-0x000000000089C000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1652 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 952 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 952 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.execmd.exedescription pid process target process PID 1660 wrote to memory of 1652 1660 5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe cmd.exe PID 1660 wrote to memory of 1652 1660 5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe cmd.exe PID 1660 wrote to memory of 1652 1660 5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe cmd.exe PID 1660 wrote to memory of 1652 1660 5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe cmd.exe PID 1652 wrote to memory of 952 1652 cmd.exe taskkill.exe PID 1652 wrote to memory of 952 1652 cmd.exe taskkill.exe PID 1652 wrote to memory of 952 1652 cmd.exe taskkill.exe PID 1652 wrote to memory of 952 1652 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe"C:\Users\Admin\AppData\Local\Temp\5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-60-0x0000000000000000-mapping.dmp
-
memory/1652-56-0x0000000000000000-mapping.dmp
-
memory/1660-54-0x0000000000928000-0x0000000000952000-memory.dmpFilesize
168KB
-
memory/1660-55-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB
-
memory/1660-57-0x0000000000928000-0x0000000000952000-memory.dmpFilesize
168KB
-
memory/1660-58-0x00000000002A0000-0x00000000002E9000-memory.dmpFilesize
292KB
-
memory/1660-59-0x0000000000400000-0x000000000089C000-memory.dmpFilesize
4.6MB