74b6508583c6ca080d8ab6256a2fdc6dab4424abfb033151bb02cafce0dfba86

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 19:24

Target

KQ06.iso
Size

970KB
MD5

519e26ef9f1663add64c5391acbba90b
SHA1

54bf4d0695e0a512d29a61410696d074d33f80d1
SHA256

74b6508583c6ca080d8ab6256a2fdc6dab4424abfb033151bb02cafce0dfba86
SHA512

f27f8e1148c089a5c5a79fbe26868c97d12aa33c8531d6fc253f59b66c7c1fec07e4cc745d50342170a16f4b0542edd0bc9269f2cddc2f7acfd752f4e7e58fac
SSDEEP

12288:eo96F+DfZxL4+Dir8lkQ5z4hb1mKFX4GfOs5VBNYRbWAUWWvoYPiwBPhKwnONVvo:eo96F+DRt4Tr8lkBhRp2QOUDKw9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 1432	1760	cmd.exe	isoburn.exe
PID 1760 wrote to memory of 1432	1760	cmd.exe	isoburn.exe
PID 1760 wrote to memory of 1432	1760	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\KQ06.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\KQ06.iso"
  2⤵
  PID:1432

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1432-76-0x0000000000000000-mapping.dmp

Download
memory/1760-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download