Overview

overview

10

Static

static

5083a072f5...0a.exe

windows7-x64

10

5083a072f5...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2022 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe

  • Size

    435KB

  • MD5

    745e587c3cf97e13028cb0dea38d7e8f

  • SHA1

    f046ffbc0f66c24d075100862c82c99e61958f62

  • SHA256

    5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a

  • SHA512

    9a339d0e9fd5dac834b80314e3390ebb4cc5dc48848a9f9fdd647d4c543de275bef010c01d34af1264fd111d8be650d388c4a3aa4efc7fb43d23c9e1ef1f19a8

Score
10/10
onlyloggerloader

Malware Config

Signatures

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger
  • OnlyLogger payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 7 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe
    "C:\Users\Admin\AppData\Local\Temp\5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 688
      2⤵
      • Program crash
      PID:2300
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 712
      2⤵
      • Program crash
      PID:3616
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 944
      2⤵
      • Program crash
      PID:1056
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 796
      2⤵
      • Program crash
      PID:4220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 796
      2⤵
      • Program crash
      PID:4480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 988
      2⤵
      • Program crash
      PID:4316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "5083a072f5be065e151d3116ac3f78b0a9322897f9c2fe9e18d0c477b943540a.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 944
      2⤵
      • Program crash
      PID:4784
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4260 -ip 4260
    1⤵
      PID:804
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4260 -ip 4260
      1⤵
        PID:4896
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4260 -ip 4260
        1⤵
          PID:5088
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4260 -ip 4260
          1⤵
            PID:4144
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4260 -ip 4260
            1⤵
              PID:4324
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4260 -ip 4260
              1⤵
                PID:4104
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4260 -ip 4260
                1⤵
                  PID:2264

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/380-133-0x0000000000000000-mapping.dmp
                  Download
                • memory/768-134-0x0000000000000000-mapping.dmp
                  Download
                • memory/4260-130-0x00000000008D3000-0x00000000008FC000-memory.dmp
                  Filesize

                  164KB

                  Download
                • memory/4260-131-0x0000000000AF0000-0x0000000000B39000-memory.dmp
                  Filesize

                  292KB

                  Download
                • memory/4260-132-0x0000000000400000-0x000000000089C000-memory.dmp
                  Filesize

                  4.6MB

                  Download
                • memory/4260-135-0x0000000000400000-0x000000000089C000-memory.dmp
                  Filesize

                  4.6MB

                  Download