034d086204855ae91d17a392e1aca00cf6e09ad2449d0f8438c5b5419d16d202 | Triage

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31/10/2022, 17:09

Sharing

Report Analysis Logs

General

Target

DV_7727.iso
Size

480KB
MD5

6be0781ecefcebf24181cac4d13aead9
SHA1

bd75f2c9556c9b894e53767fb461d1b79bd10916
SHA256

034d086204855ae91d17a392e1aca00cf6e09ad2449d0f8438c5b5419d16d202
SHA512

2307c16f8914f0a97cf24b4360e933339fccb17b003dd7ae292228e8e562ab8272907f8ef0396352d1acea91c9f9e70e0f3d9a29035d2d5bfa3731555b54dd8d
SSDEEP

6144:/kbHJhzU/Gr+acU2gqnEIzGOEBPepzn6WX1LB5QpK1K0we5itwWUTDAO7V:uheLacnx5dFBOpawe5iFw1V

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2036	1208	cmd.exe	28
PID 1208 wrote to memory of 2036	1208	cmd.exe	28
PID 1208 wrote to memory of 2036	1208	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DV_7727.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\DV_7727.iso"
  2⤵
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download