2b3c1cbe5454771e83d7f7a8571ed08a5e23ade79acb9596527a5bc5353351d1

Analysis

max time kernel
127s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 15:18

Target

LO30.iso
Size

848KB
MD5

ea66dc4ed9a8b6bdc468355bea047eb2
SHA1

c257365c246ecbfea389e2a93551a91b608f1c95
SHA256

2b3c1cbe5454771e83d7f7a8571ed08a5e23ade79acb9596527a5bc5353351d1
SHA512

e80e568ac5efb8fd0f731940c7b432513ef498d833e431853cd080cfd348292bcd1f9ce5dcfc2f9bfab2d31f3570f96fb7c05f92d47834c7eb48c222093ae0da
SSDEEP

12288:xoDjGfBlhYUWlaVxbYUGOpGPq1Tu/VxdZlUP9Xq4F/9QVN9:xoDjkzW8wWpD9u/VLM9Xq4nQVN9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

960 isoburn.exe

pid	process
960	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 960	1728	cmd.exe	isoburn.exe
PID 1728 wrote to memory of 960	1728	cmd.exe	isoburn.exe
PID 1728 wrote to memory of 960	1728	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\LO30.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\LO30.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:960

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/960-76-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

Filesize
8KB

Download