0260eb4bc99fb08542f0f8e7725a4a22ff64fe2dcb793747699c95a807d2b6ab

Analysis

max time kernel
128s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 21:57

Target

JG26.iso
Size

970KB
MD5

873961ada0ec8120be8caaa56afef082
SHA1

af56ba15101e314d7bd87ea6217d04c1ab561036
SHA256

0260eb4bc99fb08542f0f8e7725a4a22ff64fe2dcb793747699c95a807d2b6ab
SHA512

c23e626784cc21738c93aa8a3cdaaa277ece4d829a2d76392fd1a95ec56b3f7e5fe9eef53b70e05ea83a39758974122ca9d12de7d8404360c9ff76f16ea27436
SSDEEP

12288:To96F+DfZxL4+Dir8lkQ5z4hbFmKFX4GfOs5VBNYRbWAUWWvoYPiwBPhKwnONVvo:To96F+DRt4Tr8lkBhRp2QOUDKw9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

768 isoburn.exe

pid	process
768	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 768	2024	cmd.exe	isoburn.exe
PID 2024 wrote to memory of 768	2024	cmd.exe	isoburn.exe
PID 2024 wrote to memory of 768	2024	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\JG26.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\JG26.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:768

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/768-76-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download