aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8 | Triage

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
04-08-2022 13:35

Sharing

Report Analysis Logs

General

Target

tmpCF8A.tmp.exe
Size

52KB
MD5

d8e1495b46cded57eb1423b8bb789834
SHA1

db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256

aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA512

8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

916 540 WerFault.exe tmpCF8A.tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

tmpCF8A.tmp.exe

description	pid	process	target process
PID 540 wrote to memory of 916	540	tmpCF8A.tmp.exe	WerFault.exe
PID 540 wrote to memory of 916	540	tmpCF8A.tmp.exe	WerFault.exe
PID 540 wrote to memory of 916	540	tmpCF8A.tmp.exe	WerFault.exe
PID 540 wrote to memory of 916	540	tmpCF8A.tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 44
  2⤵
  - Program crash
  PID:916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-54-0x0000000000000000-mapping.dmp

Download