22dc8f285c6a295d04d819bbcf8b2a9921536d28b40e15bdec32c9b02e44865e | Triage

Analysis

max time kernel
102s
max time network
105s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
13-01-2023 18:29

Sharing

Report Analysis Logs

General

Target

file.exe
Size

3.5MB
MD5

36a851f66225a2a17b500bb8d5a4cb85
SHA1

32aa1bba16dfe77644885fccd488d6d67da06c77
SHA256

22dc8f285c6a295d04d819bbcf8b2a9921536d28b40e15bdec32c9b02e44865e
SHA512

647e32ef94d48d067f3fc93789fb6dd425dc2acb7bc0757f7e4460a5602c9eaefa878f7555f219e77b10a1b1ced3a1ea7db42225b6af0be17b99a138a1a73165
SSDEEP

98304:b/E8A4wD6rM9DvlBYtA8mqMYE/T/GoTG6ri5l7+FZAeWqIq7P7CbM5zD6sILTjbV:g3T/md5h+tP9i4osI3jhMSN

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipinfo.io
1 ipinfo.io
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1476 788 WerFault.exe file.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

file.exe

description	pid	process	target process
PID 788 wrote to memory of 1476	788	file.exe	WerFault.exe
PID 788 wrote to memory of 1476	788	file.exe	WerFault.exe
PID 788 wrote to memory of 1476	788	file.exe	WerFault.exe
PID 788 wrote to memory of 1476	788	file.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 932
2⤵
- Program crash
PID:1476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1476-55-0x0000000000000000-mapping.dmp

Download