bf260ff15e0a10357980937576f516a75d209be93fdfe6852dc0f8cb5be34024

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-10-2022 15:12

Target

DHL_924820.iso
Size

1.2MB
MD5

cfda7c0d5667f6a214cf4996e5efde92
SHA1

7a6ed5160addc9e203696ccdaa5efc112710133a
SHA256

bf260ff15e0a10357980937576f516a75d209be93fdfe6852dc0f8cb5be34024
SHA512

792c436d175b0eb3fec94f9d09503737ed66001b99d2a30065852a135e5aeb3e0faa36444a494148e7ad4c81d952f55ede4facdf843c01f8ad55b004df23d6de
SSDEEP

12288:3FwXm1eLcZbP9mpAmFXZ5e0mvXTeYZITtsUXHvxwUxLfHazzJr0:3FGQeabFmKmFzhmvJWuMPB

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 1788	2044	cmd.exe	isoburn.exe
PID 2044 wrote to memory of 1788	2044	cmd.exe	isoburn.exe
PID 2044 wrote to memory of 1788	2044	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DHL_924820.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_924820.iso"
2⤵
PID:1788

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1788-76-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download