onlylogger | 5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
18-07-2022 23:39

Target

5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe
Size

435KB
MD5

745e587c3cf97e13028cb0dea38d7e8f
SHA1

f046ffbc0f66c24d075100862c82c99e61958f62
SHA256

5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a
SHA512

9a339d0e9fd5dac834b80314e3390ebb4cc5dc48848a9f9fdd647d4c543de275bef010c01d34af1264fd111d8be650d388c4a3aa4efc7fb43d23c9e1ef1f19a8

Score

10^/10

onlylogger loader

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-58-0x00000000002A0000-0x00000000002E9000-memory.dmp	family_onlylogger
behavioral1/memory/1660-59-0x0000000000400000-0x000000000089C000-memory.dmp	family_onlylogger

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

952 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 952 taskkill.exe

pid	process
1652	cmd.exe

pid	process
952	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	952	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.execmd.exe

description	pid	process	target process
PID 1660 wrote to memory of 1652	1660	5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe	cmd.exe
PID 1660 wrote to memory of 1652	1660	5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe	cmd.exe
PID 1660 wrote to memory of 1652	1660	5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe	cmd.exe
PID 1660 wrote to memory of 1652	1660	5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe	cmd.exe
PID 1652 wrote to memory of 952	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 952	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 952	1652	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 952	1652	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe
"C:\Users\Admin\AppData\Local\Temp\5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/952-60-0x0000000000000000-mapping.dmp

Download
memory/1652-56-0x0000000000000000-mapping.dmp

Download
memory/1660-54-0x0000000000928000-0x0000000000952000-memory.dmp

Filesize
168KB

Download
memory/1660-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1660-57-0x0000000000928000-0x0000000000952000-memory.dmp

Filesize
168KB

Download
memory/1660-58-0x00000000002A0000-0x00000000002E9000-memory.dmp

Filesize
292KB

Download
memory/1660-59-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download