154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11 | Triage

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 14:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION. PDF.exe
Size

1.2MB
MD5

487ea12043793b69aa642ab240b3b6fc
SHA1

2cb577232c33f07815b9e4491aeb4d89eec9d353
SHA256

154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11
SHA512

f4ad3230985d8de7c27d64dd4193c7ee31900f4addcf351c7950fada98831acc472951a129818b5650d8fb55084f15c8015216ed133d6030f2daa47209cc0e98
SSDEEP

24576:rAHnh+eWsN3skA4RV1Hom2KXcmtcFg3Tf/xvCE:Gh+ZkldoPKsacij/xv

Score

5^/10

Malware Config

Signatures

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1984-0-0x0000000001230000-0x0000000001361000-memory.dmp	autoit_exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2136	1984	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2136	1984	QUOTATION. PDF.exe	28
PID 1984 wrote to memory of 2136	1984	QUOTATION. PDF.exe	28
PID 1984 wrote to memory of 2136	1984	QUOTATION. PDF.exe	28
PID 1984 wrote to memory of 2136	1984	QUOTATION. PDF.exe	28

C:\Users\Admin\AppData\Local\Temp\QUOTATION. PDF.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION. PDF.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 236
  2⤵
  - Program crash
  PID:2136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1984-0-0x0000000001230000-0x0000000001361000-memory.dmp

Filesize
1.2MB

Download