Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 02:28
Static task
static1
Behavioral task
behavioral1
Sample
59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe
Resource
win10v2004-20220721-en
General
-
Target
59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe
-
Size
355KB
-
MD5
435dda5db2742db0149dabc440987008
-
SHA1
5896cfd0d2ef1eb2ea13792c33889c78b4c212af
-
SHA256
59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2
-
SHA512
b150ddbc9d861c91611235217d6dd8e32525f7beea0e1aeb82065423970dc4c194a1c281c79fd4ce8f525d42193d203591936f24c583a2a24507783d7d39fbd0
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/560-131-0x0000000004860000-0x00000000048A3000-memory.dmp family_onlylogger behavioral2/memory/560-132-0x0000000000400000-0x0000000002C3D000-memory.dmp family_onlylogger behavioral2/memory/560-133-0x0000000004860000-0x00000000048A3000-memory.dmp family_onlylogger -
Program crash 11 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4492 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 4824 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 1752 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 1880 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 400 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 2640 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 3012 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 4528 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 1540 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 4832 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe 4888 560 WerFault.exe 59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe"C:\Users\Admin\AppData\Local\Temp\59e742420a1f471363bdeb8f7b4f94729d1b7fafe61c455399c107a5f54895f2.exe"1⤵PID:560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 2602⤵
- Program crash
PID:4492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 6042⤵
- Program crash
PID:4824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 6042⤵
- Program crash
PID:1752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 8202⤵
- Program crash
PID:1880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 8562⤵
- Program crash
PID:400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 11642⤵
- Program crash
PID:2640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 11682⤵
- Program crash
PID:3012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 14002⤵
- Program crash
PID:4528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 16842⤵
- Program crash
PID:1540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 8842⤵
- Program crash
PID:4832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 6522⤵
- Program crash
PID:4888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 560 -ip 5601⤵PID:2980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 560 -ip 5601⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 560 -ip 5601⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 560 -ip 5601⤵PID:4540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 560 -ip 5601⤵PID:652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 560 -ip 5601⤵PID:884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 560 -ip 5601⤵PID:4160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 560 -ip 5601⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 560 -ip 5601⤵PID:220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 560 -ip 5601⤵PID:1536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 560 -ip 5601⤵PID:5036