f9afc049eeefa6570b5e8cdd2b6e0a70de7fa2de619be35a0f21904886e7db29

Analysis

max time kernel
127s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 12:21

Target

TG28.iso
Size

996KB
MD5

ab6d30ea3552890c6db9f0c9e90c6ccd
SHA1

7a7154a8bedea4a0f23aa7262c339d849514e33e
SHA256

f9afc049eeefa6570b5e8cdd2b6e0a70de7fa2de619be35a0f21904886e7db29
SHA512

f70d16e4eeeb0dd8b1f3a9216be2cbc51126a57ed57302955ae2afa69dd2348b8e87a1953008e12b7f31ca0f6ac618840db27a23f7a15a0d097565f2bbb99a21
SSDEEP

24576:sYowvwJwRwJZwSw5wqwfHH8H2HHLwu2Hklx4Yk7A4DUESxy9MuI4vhL3tX:4wvwJwRwJZwSw5wqwfHH8H2HHLwu2YuR

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

588 isoburn.exe

pid	process
588	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1564 wrote to memory of 588	1564	cmd.exe	isoburn.exe
PID 1564 wrote to memory of 588	1564	cmd.exe	isoburn.exe
PID 1564 wrote to memory of 588	1564	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TG28.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\TG28.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:588

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/588-76-0x0000000000000000-mapping.dmp

Download
memory/1564-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download