fe2568cea3666dd24343675139ecc41ed6515bb7ef3a8c429d081d77ce4fecb4 | Triage

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 07:35

Sharing

Report Analysis Logs

General

Target

bb.img
Size

2.7MB
MD5

19b54d91705cce89218ece1e52bdb7ad
SHA1

905723cb555878c30990b4dde712279a9dd62f25
SHA256

fe2568cea3666dd24343675139ecc41ed6515bb7ef3a8c429d081d77ce4fecb4
SHA512

9c03491da4b2f2232e3a41532bc5dfca3c311c4661e4ad04a4f0af1cfe0c26f1f7b171190531e4b2362c280cfdd93bdc4ac9dcf290f157edb90be33a37f48adc
SSDEEP

49152:2ayur8YwnS01ZT37lLtdgnU46t5ABYUwdXgHJS0IHgGRtO2a8:2jQ8YwnS01pt5ABYUwdXgOA0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 544	1348	cmd.exe	28
PID 1348 wrote to memory of 544	1348	cmd.exe	28
PID 1348 wrote to memory of 544	1348	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bb.img
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\bb.img"
  2⤵
  PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download