6cd321b504c7323e893fa7e55125696ba87ab42fc3077e11ff9eedabd6b0893e | Triage

Analysis

max time kernel
39s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 12:23

Sharing

Report Analysis Logs

General

Target

BOOKING.exe
Size

291KB
MD5

c97d31e6c4311d688c7de8a19ba9f488
SHA1

2c0aa234321581f6414535e165a832b8cd4a4704
SHA256

1fbae4f859c40f9446d06e76a4acf496fe0a43fb93b87f87d1077ab8a4490480
SHA512

62ffa02b28fa3105aa8da596d3f1fa3d26e820909de85e63dc1b539ac02305e08d5e77ec06a462f9864c281d3ff5db71fb8c9f624ea973c99981da080fa8b0ee

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1164 964 WerFault.exe BOOKING.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

BOOKING.exe

description	pid	process	target process
PID 964 wrote to memory of 1164	964	BOOKING.exe	WerFault.exe
PID 964 wrote to memory of 1164	964	BOOKING.exe	WerFault.exe
PID 964 wrote to memory of 1164	964	BOOKING.exe	WerFault.exe
PID 964 wrote to memory of 1164	964	BOOKING.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\BOOKING.exe
"C:\Users\Admin\AppData\Local\Temp\BOOKING.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 544
2⤵
- Program crash
PID:1164

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/964-55-0x0000000001110000-0x000000000112B000-memory.dmp

Filesize
108KB

Download
memory/1164-56-0x0000000000000000-mapping.dmp

Download