456012a585a2320e798cd0cab4d66221cdd1a4cec1084993aac262a045586c56

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 08:52

Target

456012a585a2320e798cd0cab4d66221cdd1a4cec1084993aac262a045586c56.iso
Size

430KB
MD5

6e2eae735721ceaa59b967810fb5b44f
SHA1

7390800e71325753ae472815e8b5c653a99d6fb1
SHA256

456012a585a2320e798cd0cab4d66221cdd1a4cec1084993aac262a045586c56
SHA512

bde0544e0807afe48a97fae13348295b4be1d5d9e59c6c45878c7c1fc997e591ab956ce86a527848d6b43e76d3576fc47ac2a5dc0c6974b0512bc0d7659051be
SSDEEP

6144:eu8T9zrStWm3C3klS1gqbe5L05kVxVFInAPexY5ixyizO8wj+A:J8ZSg24Vbe5LFVxVFIAPWelSZm

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 564 wrote to memory of 1224	564	cmd.exe	isoburn.exe
PID 564 wrote to memory of 1224	564	cmd.exe	isoburn.exe
PID 564 wrote to memory of 1224	564	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\456012a585a2320e798cd0cab4d66221cdd1a4cec1084993aac262a045586c56.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\456012a585a2320e798cd0cab4d66221cdd1a4cec1084993aac262a045586c56.iso"
  2⤵
  PID:1224

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/564-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1224-76-0x0000000000000000-mapping.dmp

Download