6e69038d76d420bc65eedac8eb5c5b727303efdff971bb7ad8b8f3b4deee8a45 | Triage

Analysis

max time kernel
41s
max time network
49s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 09:10

Sharing

Report Analysis Logs

General

Target

Approved purchase order number PO2022070012.exe
Size

592KB
MD5

e06695c163531f7089ca1b243ee8873f
SHA1

aa90d5f607fcdf8bce905a5f1ba8e2de4765fdf3
SHA256

6e69038d76d420bc65eedac8eb5c5b727303efdff971bb7ad8b8f3b4deee8a45
SHA512

7be6f6bb944a17898efaee35c56337437d0399fccefe13bd1649fbb58a68ba4bd847b22849599b90708b64e51c8963952d79cb001910268c23bdf6e58fe7a890

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1964 1440 WerFault.exe Approved purchase order number PO2022070012.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Approved purchase order number PO2022070012.exe

description	pid	process	target process
PID 1440 wrote to memory of 1964	1440	Approved purchase order number PO2022070012.exe	WerFault.exe
PID 1440 wrote to memory of 1964	1440	Approved purchase order number PO2022070012.exe	WerFault.exe
PID 1440 wrote to memory of 1964	1440	Approved purchase order number PO2022070012.exe	WerFault.exe
PID 1440 wrote to memory of 1964	1440	Approved purchase order number PO2022070012.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Approved purchase order number PO2022070012.exe
"C:\Users\Admin\AppData\Local\Temp\Approved purchase order number PO2022070012.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 584
2⤵
- Program crash
PID:1964

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-54-0x0000000000F60000-0x0000000000FFA000-memory.dmp

Filesize
616KB

Download
memory/1440-55-0x00000000004D0000-0x0000000000538000-memory.dmp

Filesize
416KB

Download
memory/1964-56-0x0000000000000000-mapping.dmp

Download