8302aaa90f7757bb976115ea74c068ff3e699b08fd22526ab705c5c8bcdc155c

Analysis

max time kernel
127s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-11-2022 22:52

Target

CU20.iso
Size

996KB
MD5

2a76c3791469f0659a1d9c81ea3fda16
SHA1

622903509a4d8a90be943c33d9bcc73d943d3b0c
SHA256

8302aaa90f7757bb976115ea74c068ff3e699b08fd22526ab705c5c8bcdc155c
SHA512

9b74eaa3d60f9f6d626e0a312ee1a51f521472ee3490dd6165153f4481a203897cac06d7f884e7ec583e40f754da8723996116b26a2821ac6a4e91fbd645c69e
SSDEEP

24576:GYowvwJwRwJZwSw5wqwfHH8H2HHLwRx4Yk7A4DUESxg9MuI4vhL3tXC2Hk:WwvwJwRwJZwSw5wqwfHH8H2HHLwRuY09

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

1396 isoburn.exe

pid	process
1396	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1260 wrote to memory of 1396	1260	cmd.exe	isoburn.exe
PID 1260 wrote to memory of 1396	1260	cmd.exe	isoburn.exe
PID 1260 wrote to memory of 1396	1260	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CU20.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\CU20.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1396

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1260-54-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/1396-76-0x0000000000000000-mapping.dmp

Download