9a7f5a09814e2759ea89731a9075d52a1541d124941de8ea9fc6610ff959c387 | Triage

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 15:37

Sharing

Report Analysis Logs

General

Target

tmp.exe
Size

334KB
MD5

1922d66fbc44d5219b8853b0f4356dc8
SHA1

0b1f173c3a698e62be194487f88c0ba207c2ccf8
SHA256

9a7f5a09814e2759ea89731a9075d52a1541d124941de8ea9fc6610ff959c387
SHA512

49092e6d64d1c3ba5bcc4c59b1cf1b0276b9a4f0f7bb7747dde6de73809163109115cbf680f59fbe2986f1d9f527db0d58a01d5704618b6d831673762f9c3388
SSDEEP

6144:eMaGDOd9m6Gt8wX3VsXZ5yUg+yb8flBMJBmvGKxOzVO+qvowAWjW3eE8V/OD0CC:6tat875yUg+yclBMJU7qMo6RKC

Score

9^/10

Malware Config

Signatures

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

resource	yara_rule
behavioral1/memory/1660-54-0x000000013F9F0000-0x000000013FA48000-memory.dmp	beds_protector

Program crash 1 IoCs

pid	pid_target	Process	procid_target
576	1660	WerFault.exe	27

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 576	1660	tmp.exe	28
PID 1660 wrote to memory of 576	1660	tmp.exe	28
PID 1660 wrote to memory of 576	1660	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1660 -s 548
  2⤵
  - Program crash
  PID:576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-54-0x000000013F9F0000-0x000000013FA48000-memory.dmp

Filesize
352KB

Download