3ebcabb9a00211e1aa0ec6509f4d6206e6fab30da4a5bf6267292b9578859393

Analysis

max time kernel
133s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 06:59

Target

NH09.iso
Size

996KB
MD5

afd3aafce1eb18f0c75691c04a6067a8
SHA1

f9a977a82d69d42535032fb54dabf1a18e2278dd
SHA256

3ebcabb9a00211e1aa0ec6509f4d6206e6fab30da4a5bf6267292b9578859393
SHA512

f175da5e38239cf7134084c8ab56eadfe13ac811585f3ea397ac8ff197efe7468b1bb3ae487f53006a978bafc6691ee384f6c63de10ddaac3718fed43e4023e6
SSDEEP

24576:aYNx4Yk7A4DUESxr9MuI4vhL3tXwwvwJwRwJZwSw5wqwfHH8H2HHLwu2Hk:HuY0ArHgT4vJ3tXwwvwJwRwJZwSw5wqj

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

884 isoburn.exe

pid	process
884	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 884	2024	cmd.exe	isoburn.exe
PID 2024 wrote to memory of 884	2024	cmd.exe	isoburn.exe
PID 2024 wrote to memory of 884	2024	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NH09.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\NH09.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:884

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/884-76-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download