onlylogger | 4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972 | Triage

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 18:56

Sharing

Report Analysis Logs

General

Target

4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
Size

346KB
MD5

6465ff23f054282177a15cc5f7ebc7ec
SHA1

92c0033e076de238169f17c76a41fcbb8d10930d
SHA256

4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972
SHA512

507155b8dcc48b2e7a78a7771135588058f89985f7fe53ca546433a6d847d4b1c4dc61995d8159e3d5906eea64d49466cb78be236ca3bc5c448ae869b2328b16

Score

10^/10

onlylogger loader

Malware Config

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4876-131-0x0000000000660000-0x00000000006A3000-memory.dmp	family_onlylogger
behavioral2/memory/4876-132-0x0000000000400000-0x000000000058A000-memory.dmp	family_onlylogger
behavioral2/memory/4876-133-0x0000000000400000-0x000000000058A000-memory.dmp	family_onlylogger

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
640	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
1900	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
2904	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
1780	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
2000	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
2428	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
3464	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
1560	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
2020	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
4564	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
5056	4876	WerFault.exe	4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe

C:\Users\Admin\AppData\Local\Temp\4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe
"C:\Users\Admin\AppData\Local\Temp\4e09c63602bea79e6a9ad1f757013a72f6a16b1b7991c20c995296cfed7e0972.exe"
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 464
2⤵
- Program crash
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 644
2⤵
- Program crash
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 660
2⤵
- Program crash
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 804
2⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 864
2⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 592
2⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1172
2⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1212
2⤵
- Program crash
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 876
2⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1556
2⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1168
2⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4876 -ip 4876
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4876 -ip 4876
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4876 -ip 4876
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4876 -ip 4876
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4876 -ip 4876
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4876 -ip 4876
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4876 -ip 4876
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4876 -ip 4876
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4876 -ip 4876
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4876 -ip 4876
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 4876
1⤵
PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4876-130-0x0000000000893000-0x00000000008BA000-memory.dmp

Filesize
156KB

Download
memory/4876-131-0x0000000000660000-0x00000000006A3000-memory.dmp

Filesize
268KB

Download
memory/4876-132-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4876-133-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download