ed21514ae63b5f636e7b9a84129a6065e4783ce4e510b8d532efbedca5152938

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 16:52

Target

LF67.iso
Size

848KB
MD5

0f1178d8bab4a0d5e9e23da170eb0d05
SHA1

2323d5c811d8905b37286b099d5ac5cefc393550
SHA256

ed21514ae63b5f636e7b9a84129a6065e4783ce4e510b8d532efbedca5152938
SHA512

810afe1144d1c78583f1e3d0692e19883d3ea08a3e2b1494358f7c46ad197df51edeaf6c6ad926f94dbf3c916516313eb51ba4a07f3214c6cabf3690e8e572c5
SSDEEP

12288:qoNjGfBl5YUWlaVxbYUGOpGPq1Tu/VxdZlUP9Xq4F/9QVN9:qoNjkLW8wWpD9u/VLM9Xq4nQVN9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1816 wrote to memory of 1212	1816	cmd.exe	isoburn.exe
PID 1816 wrote to memory of 1212	1816	cmd.exe	isoburn.exe
PID 1816 wrote to memory of 1212	1816	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\LF67.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\LF67.iso"
  2⤵
  PID:1212

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1212-76-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download