0c495376f108dd4f61ae682296b2b6a3944e22e70672df2cb72afcd4cea037b3

Analysis

max time kernel
38s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 01:55

Target

HP35.iso
Size

996KB
MD5

eabbb59e07b56a9a347113f988217212
SHA1

866a2ba92b24418efbb9bebe5adda6893d8d66ad
SHA256

0c495376f108dd4f61ae682296b2b6a3944e22e70672df2cb72afcd4cea037b3
SHA512

bb9b8c688562fb64355c0f0bc4ad37a0fe2c98ed5a87b8a40fb15e70f8d1ef68ea31d6ce594306cbc41963ba09ad244c3cb9bf8e5397a503194e23706c49d0b7
SSDEEP

24576:OYHx4Yk7A4DUESxg9MuI4vhL3tXwwvwJwRwJZwSw5wqwfHH8H2HHLwu2Hk:BuY0ArHVT4vJ3tXwwvwJwRwJZwSw5wqj

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 904 wrote to memory of 1136	904	cmd.exe	isoburn.exe
PID 904 wrote to memory of 1136	904	cmd.exe	isoburn.exe
PID 904 wrote to memory of 1136	904	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\HP35.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\HP35.iso"
  2⤵
  PID:1136

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/904-54-0x000007FEFBC71000-0x000007FEFBC73000-memory.dmp

Filesize
8KB

Download
memory/1136-76-0x0000000000000000-mapping.dmp

Download