Analysis
-
max time kernel
127s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-11-2022 18:54
Static task
static1
Behavioral task
behavioral1
Sample
FW01.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
FW01.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
WW.js
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
WW.js
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
animators/supplications.dll
Resource
win7-20220812-en
General
-
Target
FW01.iso
-
Size
970KB
-
MD5
da734a9e9845b15d7940a9c4ef282310
-
SHA1
4b09ec306d2eb38dacf8da717765f87cf613bb2b
-
SHA256
8174b9c587ff701b87e200c07d7f43c4234f54e8687ced20dab2b33abbf2d52f
-
SHA512
fd9f9b7ef483d8484149b130ab4165bf1afb58e79469591cf8d55a371432812ba86763c503f82d1112a232f619bbb8cdd69f6ded6f96ab4696d68badd4b2bc50
-
SSDEEP
12288:SoEKwnONVvoo6F+DfZxL4+Dir8lkQ5z4hb5mKFX4GfOs5VBNYRbWAUWWvoYPiwBP:SoEKw9o6F+DRt4Tr8lkBhdp2QOU
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
isoburn.exepid process 648 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1760 wrote to memory of 648 1760 cmd.exe isoburn.exe PID 1760 wrote to memory of 648 1760 cmd.exe isoburn.exe PID 1760 wrote to memory of 648 1760 cmd.exe isoburn.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FW01.iso1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\FW01.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:648