23c872a3c24a223c9cd72c5d15c57ae1e5d9fb2fb82c90db95338d50b26763d9

Analysis

max time kernel
124s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 05:58

Target

HF58.iso
Size

996KB
MD5

b0d6d977f7c96ab8e88e1d8cfa8c01e6
SHA1

f3af2276b82a07e1e1a7ac127e3c28d7e55be159
SHA256

23c872a3c24a223c9cd72c5d15c57ae1e5d9fb2fb82c90db95338d50b26763d9
SHA512

3252cb31a38c93f0196c8bddfb50b96fc461416ad3781517cabd4e758cf21f743526933c5d078498ee1dd7fc963ff081ab1cd9e3e0f1edd51099627eccbee9d2
SSDEEP

24576:kYPx4Yk7A4DUESx99MuI4vhL3tXwwvwJwRwJZwSw5wqwfHH8H2HHLwu2Hk:3uY0ArHuT4vJ3tXwwvwJwRwJZwSw5wqj

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

1616 isoburn.exe

pid	process
1616	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1080 wrote to memory of 1616	1080	cmd.exe	isoburn.exe
PID 1080 wrote to memory of 1616	1080	cmd.exe	isoburn.exe
PID 1080 wrote to memory of 1616	1080	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\HF58.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\HF58.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1616

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1080-54-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

Filesize
8KB

Download
memory/1616-76-0x0000000000000000-mapping.dmp

Download