380b8233ff261f67156ed127d938aff04cb279ead6cfe6a76702d9ea3701660f | Triage

Resubmissions

22-05-2024 19:57

240522-ypkassee44 3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 19:57

Sharing

Report Analysis Logs

General

Target

Zebra Obfuscator.exe
Size

174KB
MD5

54bf50927e0af8a664c53e98bb494697
SHA1

4470613e048ce1ee412166ff2536d0964563e9a6
SHA256

380b8233ff261f67156ed127d938aff04cb279ead6cfe6a76702d9ea3701660f
SHA512

bca2432879b2b1c892142ac4bb1297e995b86ba03776c72122805cc953f4de0bd22ea9f0c1ff36fdc5609de889f4c9d928a6aa9a1c6cbf9d91ac2fc004a11de5
SSDEEP

3072:VDlOIOA4QfuzHoNlbn2/z29tJqDumuek29tJqDumueI:VRnOAzfuM2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

836 840 WerFault.exe Zebra Obfuscator.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Zebra Obfuscator.exe

description	pid	process	target process
PID 840 wrote to memory of 836	840	Zebra Obfuscator.exe	WerFault.exe
PID 840 wrote to memory of 836	840	Zebra Obfuscator.exe	WerFault.exe
PID 840 wrote to memory of 836	840	Zebra Obfuscator.exe	WerFault.exe
PID 840 wrote to memory of 836	840	Zebra Obfuscator.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Zebra Obfuscator.exe
"C:\Users\Admin\AppData\Local\Temp\Zebra Obfuscator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 556
2⤵
- Program crash
PID:836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/840-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/840-1-0x0000000001160000-0x0000000001196000-memory.dmp

Filesize
216KB

Download