0710eabb964125f65e2ea8587585b1883ce98641ce4da8db46eddc404f8cfa6c

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 21:35

Target

0db4df6533bbe4f721a016b59e89c0ed2ab9af0dec7a8200f7f0e83617bf3d9f.iso
Size

1.2MB
MD5

07f94938347091978c25af1a7f42f72f
SHA1

5260230f225ca88e903357e72b2a6e2b2007162d
SHA256

0db4df6533bbe4f721a016b59e89c0ed2ab9af0dec7a8200f7f0e83617bf3d9f
SHA512

11b17e7474dee868276520be680616b7a3433016dda071d26e65d82b0eab0179e755d91bcaf060a6c5047ff429f159fd4351ffae7c9f5a1cb952990de07fd628
SSDEEP

192:NtOIXco/1QY0OXlb3iQbZaEaJT5cC+aRWTwY2TZhYj1HhIUb:Vcodln53HZ/aLWa0MY21YIc

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1512	1112	cmd.exe	27
PID 1112 wrote to memory of 1512	1112	cmd.exe	27
PID 1112 wrote to memory of 1512	1112	cmd.exe	27

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0db4df6533bbe4f721a016b59e89c0ed2ab9af0dec7a8200f7f0e83617bf3d9f.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\0db4df6533bbe4f721a016b59e89c0ed2ab9af0dec7a8200f7f0e83617bf3d9f.iso"
  2⤵
  PID:1512

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1112-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download