Analysis
-
max time kernel
28s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
27-07-2022 00:50
Static task
static1
Behavioral task
behavioral1
Sample
539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe
Resource
win10v2004-20220721-en
General
-
Target
539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe
-
Size
434KB
-
MD5
e60a53fdbb9c3b317fa294b1f2a5b632
-
SHA1
587c6f730e6ab168e6d697e4bd02b44df65f4205
-
SHA256
539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d
-
SHA512
998c91693fed0519b571607c59135a655dd6f2eae6c3ffe0ff05680d33324227121fd9f8c6ecc717e2aa95d34687d17d55f360ad5a280c32d9003a5776ebf09d
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1696-58-0x00000000002D0000-0x0000000000319000-memory.dmp family_onlylogger behavioral1/memory/1696-60-0x0000000000400000-0x000000000103D000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1680 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2008 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2008 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.execmd.exedescription pid process target process PID 1696 wrote to memory of 1680 1696 539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe cmd.exe PID 1696 wrote to memory of 1680 1696 539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe cmd.exe PID 1696 wrote to memory of 1680 1696 539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe cmd.exe PID 1696 wrote to memory of 1680 1696 539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe cmd.exe PID 1680 wrote to memory of 2008 1680 cmd.exe taskkill.exe PID 1680 wrote to memory of 2008 1680 cmd.exe taskkill.exe PID 1680 wrote to memory of 2008 1680 cmd.exe taskkill.exe PID 1680 wrote to memory of 2008 1680 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe"C:\Users\Admin\AppData\Local\Temp\539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "539efe24846cc5cd476d50b6690d508743e62b0358bf9aa74fa4dda455bf3f4d.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1680-56-0x0000000000000000-mapping.dmp
-
memory/1696-54-0x00000000010F8000-0x0000000001121000-memory.dmpFilesize
164KB
-
memory/1696-55-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/1696-57-0x00000000010F8000-0x0000000001121000-memory.dmpFilesize
164KB
-
memory/1696-58-0x00000000002D0000-0x0000000000319000-memory.dmpFilesize
292KB
-
memory/1696-60-0x0000000000400000-0x000000000103D000-memory.dmpFilesize
12.2MB
-
memory/2008-59-0x0000000000000000-mapping.dmp