7a85e2e39a7bcbe3896de4f9de135640f11ba82bd6fed853589bf9c806e9cdb7 | Triage

Analysis

max time kernel
32s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/10/2022, 23:03

Sharing

Report Analysis Logs

General

Target

VV7414.iso
Size

872KB
MD5

6c339ee1d629108f5daf065a9cae90f2
SHA1

29595141e652f2208bf7afd47433f16f7acf1cbe
SHA256

cbedcab90d247f0cd9175bd704f1097546edd95efb43066d1782dc7eb5067919
SHA512

666af0fdad975b9625b73c593593c017d3829de55324f45fd27f3ac8795e0716c9c2dc42459be76c4ac356093c64190c1e04d71a8959089f90be08562dda1d91
SSDEEP

24576:4HVRweHHHWFMplHGHBZwQweHHRwAwcdkUhn/7jAF2:4HVRweHHHWFMplHGHBZwQweHHRwAwcKS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1456	1960	cmd.exe	28
PID 1960 wrote to memory of 1456	1960	cmd.exe	28
PID 1960 wrote to memory of 1456	1960	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\VV7414.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\VV7414.iso"
  2⤵
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download