620bace13215ee69bcbdf8ac237798e8ab2ff052492303e2bac32d0a5a03f44a | Triage

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 16:19

Sharing

Report Analysis Logs

General

Target

file.exe
Size

655KB
MD5

167c40ace009f5d5cda541008804c3b3
SHA1

541bc50815f39227b9e01e5e4db6a08c02cedf4d
SHA256

620bace13215ee69bcbdf8ac237798e8ab2ff052492303e2bac32d0a5a03f44a
SHA512

60aa62eb8803bc2a8e95ea3ecadeb93e3859288d1b06a1d63451f48b10b8bbeef862c978143b419cf82d9f0fb6e1792cf82dd466f184173ca9bc8a7ffae09c15
SSDEEP

12288:N7D2B/BSBPPdVUQK6HeZ+0PRJl0cTPqvo4qMP/Ai:NdEQlXplvo4bPd

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1800 2164 WerFault.exe file.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

file.exe

description	pid	process	target process
PID 2164 wrote to memory of 1800	2164	file.exe	WerFault.exe
PID 2164 wrote to memory of 1800	2164	file.exe	WerFault.exe
PID 2164 wrote to memory of 1800	2164	file.exe	WerFault.exe
PID 2164 wrote to memory of 1800	2164	file.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 96
2⤵
- Program crash
PID:1800

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-0-0x00000000004B0000-0x0000000000539000-memory.dmp

Filesize
548KB

Download
memory/2164-5-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download