e17f108dbdae317833c6a8771493512e0a773b5357c2535e1eba22fca1975477

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
04-01-2022 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0bbf57aae4d2807dce2ec9dff881b5ece9dcd236ab9753aefafdf67cc57e9b2.iso
Size

270KB
MD5

faa422c6ccfe96edff7000ebef7b5776
SHA1

d9d72c12edecd7218b15f1554515f79bde997f72
SHA256

d0bbf57aae4d2807dce2ec9dff881b5ece9dcd236ab9753aefafdf67cc57e9b2
SHA512

2f39df9b952074d1b10c880671896770681f1e736bf57271c5790d20afcf9cc41e7180cea3c07aa2dd60808eda85a389696f7529f50a38e374d34d5a0e782dce

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 268	1592	cmd.exe	isoburn.exe
PID 1592 wrote to memory of 268	1592	cmd.exe	isoburn.exe
PID 1592 wrote to memory of 268	1592	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\d0bbf57aae4d2807dce2ec9dff881b5ece9dcd236ab9753aefafdf67cc57e9b2.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\d0bbf57aae4d2807dce2ec9dff881b5ece9dcd236ab9753aefafdf67cc57e9b2.iso"
2⤵
PID:268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-55-0x0000000000000000-mapping.dmp

Download
memory/268-57-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1592-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download