8ee0b60536f5619417882bca1bbbee7f735290a29d5c838b410d42fe85b2f43d | Triage

Analysis

max time kernel
29s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 18:29

Sharing

Report Analysis Logs

General

Target

伯俊有赞数据同步推送服务.exe
Size

45KB
MD5

34ee2d21b67628165ecab278fddaa524
SHA1

de5f212e3e876d0b165c2074d6bda73450ebda0c
SHA256

8ee0b60536f5619417882bca1bbbee7f735290a29d5c838b410d42fe85b2f43d
SHA512

013e82871551108becf674686ed9b8461e1362d1ff04367d562d1e0f0a817a9ccc74c8109090b671c1c30f139266eaec626dd75142a4bb51c050feaadfb5e578
SSDEEP

768:5HYJZ8uOoRHkoXeIpl2vgG9isKnehhppRkSxws1FzXJeWeloDrT:+DHkoXeI0gGYs+s1FzXJx+oD

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1360	1520	WerFault.exe	26

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1360	1520	伯俊有赞数据同步推送服务.exe	27
PID 1520 wrote to memory of 1360	1520	伯俊有赞数据同步推送服务.exe	27
PID 1520 wrote to memory of 1360	1520	伯俊有赞数据同步推送服务.exe	27

C:\Users\Admin\AppData\Local\Temp\伯俊有赞数据同步推送服务.exe
"C:\Users\Admin\AppData\Local\Temp\伯俊有赞数据同步推送服务.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1520 -s 536
  2⤵
  - Program crash
  PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-54-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download