2b21885c68cf8bcee3be7e08574372130a42c74a047b1f962cc5e270bb7b543e | Triage

Analysis

max time kernel
50s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 09:20

Sharing

Report Analysis Logs

General

Target

EXPORT INVOICE.pdf.scr
Size

789KB
MD5

2cf09341b87d20404a6d824305ea5419
SHA1

ec9de894d7cb09ed3940db31dfc7a39cc1280acd
SHA256

2b21885c68cf8bcee3be7e08574372130a42c74a047b1f962cc5e270bb7b543e
SHA512

db8e247a8192ee53b96ee12a9b1e120e904b58b96f5ea3687d10bda3ea16d479bfe2da0db07b633b35bc03da9665d8ebe13a0e494a481bd88a76c30b79c2dbe9

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

944 1324 WerFault.exe EXPORT INVOICE.pdf.scr

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXPORT INVOICE.pdf.scr

description	pid	process	target process
PID 1324 wrote to memory of 944	1324	EXPORT INVOICE.pdf.scr	WerFault.exe
PID 1324 wrote to memory of 944	1324	EXPORT INVOICE.pdf.scr	WerFault.exe
PID 1324 wrote to memory of 944	1324	EXPORT INVOICE.pdf.scr	WerFault.exe
PID 1324 wrote to memory of 944	1324	EXPORT INVOICE.pdf.scr	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\EXPORT INVOICE.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\EXPORT INVOICE.pdf.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 700
2⤵
- Program crash
PID:944

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/944-57-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x0000000000970000-0x0000000000A3A000-memory.dmp

Filesize
808KB

Download
memory/1324-55-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1324-56-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download