fc338b3fcd6575237006e1649be552d875140cf36fe389bada70941a6c264773

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 02:56

Target

IC91.iso
Size

996KB
MD5

587a6bd50e03be2986783fa1dc0d6865
SHA1

27c5c3896ed3df8111cde46be4a3b8f891b7158a
SHA256

fc338b3fcd6575237006e1649be552d875140cf36fe389bada70941a6c264773
SHA512

5ed6b52a11502ed052ee38bf0afdd738f238e33ac15db89a753e1534003817954d22b21ce651568f6c958cf6bb70715364c51c9003d3711cbdb7db2a832d0f91
SSDEEP

24576:fYSwvwJwRwJZwSw5wqwfHH8H2HHLwRx4Yk7A4DUESxY9MuI4vhL3tXC2Hk:1wvwJwRwJZwSw5wqwfHH8H2HHLwRuY0R

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1196 wrote to memory of 2036	1196	cmd.exe	isoburn.exe
PID 1196 wrote to memory of 2036	1196	cmd.exe	isoburn.exe
PID 1196 wrote to memory of 2036	1196	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\IC91.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\IC91.iso"
  2⤵
  PID:2036

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1196-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/2036-76-0x0000000000000000-mapping.dmp

Download