onlylogger | 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 14:43

Target

8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe
Size

252KB
MD5

8e6e835dede4156784b26cb01339f050
SHA1

d0f3846526cf7ed69b67301e419f72ce8ba981fd
SHA256

8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762
SHA512

05a4bda590b1d147aeb2a32b5c0c758700c585502083c003295b4ebe46927455e646b67b3570c11981441c3f90fb89e1441b72b7192755c8b8fa3efb50979516
SSDEEP

6144:pIYAQk0weX2qSCpwv3+Ag/DomARu+Vd9Unv:CY3k2X2qJpC3PoX+VP

Score

10^/10

onlylogger loader

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1340-57-0x0000000000400000-0x00000000004EA000-memory.dmp	family_onlylogger
behavioral1/memory/1340-56-0x0000000000220000-0x000000000026C000-memory.dmp	family_onlylogger
behavioral1/memory/1340-60-0x0000000000400000-0x00000000004EA000-memory.dmp	family_onlylogger

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1180 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1472 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1472 taskkill.exe

pid	process
1180	cmd.exe

pid	process
1472	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1472	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 1180	1340	8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe	cmd.exe
PID 1340 wrote to memory of 1180	1340	8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe	cmd.exe
PID 1340 wrote to memory of 1180	1340	8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe	cmd.exe
PID 1340 wrote to memory of 1180	1340	8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe	cmd.exe
PID 1180 wrote to memory of 1472	1180	cmd.exe	taskkill.exe
PID 1180 wrote to memory of 1472	1180	cmd.exe	taskkill.exe
PID 1180 wrote to memory of 1472	1180	cmd.exe	taskkill.exe
PID 1180 wrote to memory of 1472	1180	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe
"C:\Users\Admin\AppData\Local\Temp\8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1180-58-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1340-57-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1340-56-0x0000000000220000-0x000000000026C000-memory.dmp

Filesize
304KB

Download
memory/1340-55-0x00000000006CA000-0x00000000006F5000-memory.dmp

Filesize
172KB

Download
memory/1340-59-0x00000000006CA000-0x00000000006F5000-memory.dmp

Filesize
172KB

Download
memory/1340-60-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1472-61-0x0000000000000000-mapping.dmp

Download