997878e5c8e0d3d1b9f8c67319fea898443e145a81cdd9b40ca728d72ead963a

Analysis

max time kernel
127s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 12:52

Target

SH39.iso
Size

996KB
MD5

a1267d1e162b69201b6375d69254742b
SHA1

7d7cd9711cfd2e0a6c23c1d4bd2151c8db05122f
SHA256

997878e5c8e0d3d1b9f8c67319fea898443e145a81cdd9b40ca728d72ead963a
SHA512

1f3b3e2f3822a1b2a71d2edb11e450fccd813078a1dd660b79951fc36214292d592578f67b05dcfb89283f30bec7b9b216537e7492569c5da1ebbc8d19412077
SSDEEP

24576:dYfx4Yk7A4DUESx+9MuI4vhL3tXwwvwJwRwJZwSw5wqwfHH8H2HHLwu2Hk:MuY0ArH3T4vJ3tXwwvwJwRwJZwSw5wqj

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

1068 isoburn.exe

pid	process
1068	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 1068	2000	cmd.exe	isoburn.exe
PID 2000 wrote to memory of 1068	2000	cmd.exe	isoburn.exe
PID 2000 wrote to memory of 1068	2000	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SH39.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\SH39.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1068

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1068-76-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download