Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 14:43
Static task
static1
Behavioral task
behavioral1
Sample
8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe
Resource
win10v2004-20220901-en
General
-
Target
8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe
-
Size
252KB
-
MD5
8e6e835dede4156784b26cb01339f050
-
SHA1
d0f3846526cf7ed69b67301e419f72ce8ba981fd
-
SHA256
8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762
-
SHA512
05a4bda590b1d147aeb2a32b5c0c758700c585502083c003295b4ebe46927455e646b67b3570c11981441c3f90fb89e1441b72b7192755c8b8fa3efb50979516
-
SSDEEP
6144:pIYAQk0weX2qSCpwv3+Ag/DomARu+Vd9Unv:CY3k2X2qJpC3PoX+VP
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4372-133-0x0000000000530000-0x000000000057C000-memory.dmp family_onlylogger behavioral2/memory/4372-134-0x0000000000400000-0x00000000004EA000-memory.dmp family_onlylogger behavioral2/memory/4372-138-0x0000000000400000-0x00000000004EA000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 668 4372 WerFault.exe 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe 3976 4372 WerFault.exe 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe 1364 4372 WerFault.exe 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe 4912 4372 WerFault.exe 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe 4264 4372 WerFault.exe 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe 204 4372 WerFault.exe 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe 3252 4372 WerFault.exe 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe 2148 4372 WerFault.exe 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1792 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1792 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.execmd.exedescription pid process target process PID 4372 wrote to memory of 3256 4372 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe cmd.exe PID 4372 wrote to memory of 3256 4372 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe cmd.exe PID 4372 wrote to memory of 3256 4372 8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe cmd.exe PID 3256 wrote to memory of 1792 3256 cmd.exe taskkill.exe PID 3256 wrote to memory of 1792 3256 cmd.exe taskkill.exe PID 3256 wrote to memory of 1792 3256 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe"C:\Users\Admin\AppData\Local\Temp\8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 6202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 3282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 7402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 7402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 10882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 12442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 11442⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "8ad6deb9fd771066e35d6a4806f5164a9c4df53418966715778c1d7ffc063762.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 11122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4372 -ip 43721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1792-136-0x0000000000000000-mapping.dmp
-
memory/3256-135-0x0000000000000000-mapping.dmp
-
memory/4372-132-0x0000000000697000-0x00000000006C3000-memory.dmpFilesize
176KB
-
memory/4372-133-0x0000000000530000-0x000000000057C000-memory.dmpFilesize
304KB
-
memory/4372-134-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/4372-137-0x0000000000697000-0x00000000006C3000-memory.dmpFilesize
176KB
-
memory/4372-138-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB