f1717d697da8cab2e5bd34462f692158728f7102734efe53381d0b0715977545

Analysis

max time kernel
38s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-09-2022 10:56

Target

4518b5c65eb93ff1e31024f61e25569a9903753816d50e7258722bb608e3cf1b.iso
Size

2.8MB
MD5

b87965a169aeed19577d9a78f8feeaf9
SHA1

2efc40286e1cad294628fb38a9524d9634788908
SHA256

4518b5c65eb93ff1e31024f61e25569a9903753816d50e7258722bb608e3cf1b
SHA512

c9ee37525e5a79ef86f39f189cf7a3df69bd421b2ad153ca25b049afeeb18bbb9e1f466dfb9d595bf71f4ec05ca873c001a01814a61b939902890e94c8ee14f4
SSDEEP

49152:AiU4m3k9LdQ5rrVggzz5UqIdFneQuXnMcjq4lfv9s3c59mf6CKJUQajLWW:yHmLdQtrVggzBITeQunMcW4lfloc59mx

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 960	1672	cmd.exe	28
PID 1672 wrote to memory of 960	1672	cmd.exe	28
PID 1672 wrote to memory of 960	1672	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4518b5c65eb93ff1e31024f61e25569a9903753816d50e7258722bb608e3cf1b.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\4518b5c65eb93ff1e31024f61e25569a9903753816d50e7258722bb608e3cf1b.iso"
  2⤵
  PID:960

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1672-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download