f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822 | Triage

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 20:18

Sharing

Report Analysis Logs

General

Target

shippin docs.exe
Size

480KB
MD5

06d253413aa62c1eb72edb9fdc6e2a87
SHA1

a3d8c88b5b9709699c183925ce3ad653491aee9d
SHA256

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822
SHA512

74eee8077764b41bb10bfdb2f8408af549951abdf9244d0c609de931ba6f847b6653d1088cb4394de875c0f23837b28f712cc4c8161a50d4127206bb669d68bb
SSDEEP

12288:q0aShcx7plNJAYnIKPPfpZlrySug8pG94L3st+s0u5jgbO:q0aSholNJrXdr5ug88ss0s0gEO

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1860 1184 WerFault.exe shippin docs.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

shippin docs.exe

description	pid	process	target process
PID 1184 wrote to memory of 1860	1184	shippin docs.exe	WerFault.exe
PID 1184 wrote to memory of 1860	1184	shippin docs.exe	WerFault.exe
PID 1184 wrote to memory of 1860	1184	shippin docs.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\shippin docs.exe
"C:\Users\Admin\AppData\Local\Temp\shippin docs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1184 -s 528
2⤵
- Program crash
PID:1860

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-54-0x0000000000A50000-0x0000000000ACC000-memory.dmp

Filesize
496KB

Download
memory/1860-55-0x0000000000000000-mapping.dmp

Download