onlylogger | 2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9 | Triage

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2022 18:35

Sharing

Report Analysis Logs

General

Target

Details.exe
Size

224KB
MD5

913fcca8aa37351d548fcb1ef3af9f10
SHA1

8955832408079abc33723d48135f792c9930b598
SHA256

2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9
SHA512

0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Score

10^/10

onlylogger loader

Malware Config

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4224-131-0x0000000000750000-0x0000000000780000-memory.dmp	family_onlylogger
behavioral2/memory/4224-132-0x0000000000400000-0x00000000004BF000-memory.dmp	family_onlylogger

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4876	4224	WerFault.exe	Details.exe
2740	4224	WerFault.exe	Details.exe
3160	4224	WerFault.exe	Details.exe
1012	4224	WerFault.exe	Details.exe
4396	4224	WerFault.exe	Details.exe
4424	4224	WerFault.exe	Details.exe
4940	4224	WerFault.exe	Details.exe
4496	4224	WerFault.exe	Details.exe

C:\Users\Admin\AppData\Local\Temp\Details.exe
"C:\Users\Admin\AppData\Local\Temp\Details.exe"
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 620
2⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 656
2⤵
- Program crash
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 636
2⤵
- Program crash
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 724
2⤵
- Program crash
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 812
2⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 884
2⤵
- Program crash
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1028
2⤵
- Program crash
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1036
2⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4224 -ip 4224
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4224 -ip 4224
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4224 -ip 4224
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4224 -ip 4224
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4224 -ip 4224
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4224 -ip 4224
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4224 -ip 4224
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4224 -ip 4224
1⤵
PID:3416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4224-130-0x00000000007CD000-0x00000000007E9000-memory.dmp

Filesize
112KB

Download
memory/4224-131-0x0000000000750000-0x0000000000780000-memory.dmp

Filesize
192KB

Download
memory/4224-132-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download