356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
27-06-2022 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe
Size

992KB
MD5

a4bb662d473fbfff6180e3ff6a3b5d74
SHA1

246e05cc59947ccf7157513c970b71874cb29c27
SHA256

356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8
SHA512

ba894c67f29774b478017a732004ea280bfb3591b418adb88e6e0c40a281aa1ac70e3dceb00225a05073a536769f67f8ac8c609e31ce6d2a8a2ed9a7847d1292

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

860 1828 WerFault.exe 356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe

pid	pid_target	process	target process
860	1828	WerFault.exe	356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe

description	pid	process	target process
PID 1828 wrote to memory of 860	1828	356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe	WerFault.exe
PID 1828 wrote to memory of 860	1828	356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe	WerFault.exe
PID 1828 wrote to memory of 860	1828	356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe	WerFault.exe
PID 1828 wrote to memory of 860	1828	356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe
"C:\Users\Admin\AppData\Local\Temp\356bbcec7867f89555b633c6764c082511178036046c5c8206713bdd8c4724e8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 172
2⤵
- Program crash
PID:860

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-55-0x0000000000000000-mapping.dmp

Download
memory/1828-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download