9d5e19acb918040dcf79ccff74833262fb19f5460f51587d265210374f6f1884

Analysis

max time kernel
113s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 15:01

Target

8198d59461dfb08d7a350333d1459231543c6a29e8db7c31fd14850868a75a38.iso
Size

300.6MB
MD5

9589b37034846688cf65653486bcd897
SHA1

6065a4703cd749c5196bdfa8a7d79732e3a11368
SHA256

8198d59461dfb08d7a350333d1459231543c6a29e8db7c31fd14850868a75a38
SHA512

d58310560d0792e768ba2615524cf7bb3c79421a70e07d6c08313b5fb361fdba62c8e39b445fa38d3db2006c9530608afa3930a5109fc291fd90e62e104819dd
SSDEEP

24576:qzEo/IReVjVaXcqqza/KkJVWpcpr8lCGyi2FBGbZLipIjJ7Fb5DIoN3EtO:qziCYXKzyKkJM8r8lXyEGpIjJ73jtEt

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2028 wrote to memory of 1644	2028	cmd.exe	isoburn.exe
PID 2028 wrote to memory of 1644	2028	cmd.exe	isoburn.exe
PID 2028 wrote to memory of 1644	2028	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\8198d59461dfb08d7a350333d1459231543c6a29e8db7c31fd14850868a75a38.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\8198d59461dfb08d7a350333d1459231543c6a29e8db7c31fd14850868a75a38.iso"
2⤵
PID:1644

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1644-76-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download