ea64bba77296ccdd5522c8c70186b962425239c98b77dc1bcbb7f66530ba9703

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-11-2022 00:44

Target

CVUO05.iso
Size

722KB
MD5

d9e7ba5bf8b8d43cd61c6bcaf53bcc77
SHA1

eb215ad50be152723eea669c5230ab8688e1edd8
SHA256

ea64bba77296ccdd5522c8c70186b962425239c98b77dc1bcbb7f66530ba9703
SHA512

146fc4334812d8a4378d10ba70ccbc1b9584422a0eedff0562b85a223fbd1cb579169c2a4a3df5b494262ecb1a8727451b3503e9550713ff8f0c407098e17756
SSDEEP

12288:mY5/TGcg+w9KCyJdcvXumiT3QOrT8Rk0zvInbiPCw18al1USuSZxHHTkG/8H8:mY5/TGckKCy30IAIQR3O7OjHHApc

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1660 wrote to memory of 2044	1660	cmd.exe	isoburn.exe
PID 1660 wrote to memory of 2044	1660	cmd.exe	isoburn.exe
PID 1660 wrote to memory of 2044	1660	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CVUO05.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\CVUO05.iso"
  2⤵
  PID:2044

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1660-54-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/2044-76-0x0000000000000000-mapping.dmp

Download