aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8 | Triage

Analysis

max time kernel
4s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
04-08-2022 13:31

Sharing

Report Analysis Logs

General

Target

tmpCF8A.tmp.exe
Size

52KB
MD5

d8e1495b46cded57eb1423b8bb789834
SHA1

db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256

aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA512

8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1768 1704 WerFault.exe tmpCF8A.tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

tmpCF8A.tmp.exe

description	pid	process	target process
PID 1704 wrote to memory of 1768	1704	tmpCF8A.tmp.exe	WerFault.exe
PID 1704 wrote to memory of 1768	1704	tmpCF8A.tmp.exe	WerFault.exe
PID 1704 wrote to memory of 1768	1704	tmpCF8A.tmp.exe	WerFault.exe
PID 1704 wrote to memory of 1768	1704	tmpCF8A.tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 44
2⤵
- Program crash
PID:1768

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-54-0x0000000000000000-mapping.dmp

Download