6436cc9f798618dcce8d46276d2bf95cfe2f3ec72d12cad218c6e7faa691d121

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-11-2022 20:18

Target

46679_10774_USD·pdf.iso
Size

798KB
MD5

92110fb5c1b9ad621fc1842d848a98cc
SHA1

9a91d893c9e7066bea386b9b21a341a7f46dfb71
SHA256

c5c5d41bb7a9d9f3e36ba5c4336bc8ebb551eb3687da7e7c30a2ec8cb1c35af3
SHA512

e1390118fe9c53892b65d7aaaae595ba2f9cbf48bf30b4628602068262a22e718dbfb9f968c101afcaeea7b81c563a1c1ccca2b847287eb5fee76ba4a50d3a81
SSDEEP

12288:8JHNGwC7XzWWpH9WBjH+5ZdyQ43z9hxJU2B:KQi0gk2B

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 516	1760	cmd.exe	isoburn.exe
PID 1760 wrote to memory of 516	1760	cmd.exe	isoburn.exe
PID 1760 wrote to memory of 516	1760	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.iso"
  2⤵
  PID:516

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/516-76-0x0000000000000000-mapping.dmp

Download
memory/1760-54-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download