Analysis
-
max time kernel
124s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-11-2022 22:27
Static task
static1
Behavioral task
behavioral1
Sample
WH03.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
WH03.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
WW.js
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
WW.js
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
animators/consolably.dll
Resource
win7-20220901-en
General
-
Target
WH03.iso
-
Size
970KB
-
MD5
7114a4b13272c975bfc8c2599581dd07
-
SHA1
538d8a2adde628c2c643e0c13c0b3daed10585e4
-
SHA256
d14e74f9fd985af50d13ecc26c430b25aac01a9b2b406bf80e70ce1089e053f9
-
SHA512
80ff5d22fca9235c28e65fa30f2b042078b578c35a4dbec36ee8fc431b7172717ef2f9ba10468de5a0fa39c806fdec6ef52e9ecda360158cd3bf10064e2d743b
-
SSDEEP
12288:Ao96F+DfZxL4+Dir8lkQ5z4hbsmKFX4GfOs5VBNYRbWAUWWvoYPiwBPhKwnONVvo:Ao96F+DRt4Tr8lkBhAp2QOUDKw9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
isoburn.exepid process 564 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1768 wrote to memory of 564 1768 cmd.exe isoburn.exe PID 1768 wrote to memory of 564 1768 cmd.exe isoburn.exe PID 1768 wrote to memory of 564 1768 cmd.exe isoburn.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\WH03.iso1⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\WH03.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:564