3ff802e875d54b64758cc2e91844a7d1d9c87c348dfc18604db5ee6dd856cca3 | Triage

Analysis

max time kernel
31s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 17:15

Sharing

Report Analysis Logs

General

Target

tmp.exe
Size

838KB
MD5

644ef0e96bb766efa2a3fe3a7dfb0d5c
SHA1

76f4bc8da9ef0130175a93d29ec7f913a904934b
SHA256

3ff802e875d54b64758cc2e91844a7d1d9c87c348dfc18604db5ee6dd856cca3
SHA512

c75591011ff6542f4ab6018ba58163f4d69ba6bcda6af68bc22c68a87b0f9f08d5d2d19da01d23c53cec30eec702ee3fc90f70e219827011caea5dbbac373af2
SSDEEP

12288:gg5VmNVT3J/0UNz5fPC6q1BQh/IObjfF7LLDEXlXY61XIOmM0uY:hLm3jJddnboDObjfxLXMVByx

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1600 1436 WerFault.exe tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1436 wrote to memory of 1600	1436	tmp.exe	WerFault.exe
PID 1436 wrote to memory of 1600	1436	tmp.exe	WerFault.exe
PID 1436 wrote to memory of 1600	1436	tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1436 -s 512
2⤵
- Program crash
PID:1600

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1436-54-0x0000000001170000-0x0000000001246000-memory.dmp

Filesize
856KB

Download
memory/1600-55-0x0000000000000000-mapping.dmp

Download