Analysis
-
max time kernel
127s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-11-2022 19:55
Static task
static1
Behavioral task
behavioral1
Sample
AR37.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
AR37.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
WW.js
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
WW.js
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
animators/burford.dll
Resource
win7-20221111-en
General
-
Target
AR37.iso
-
Size
970KB
-
MD5
3f430d80f682127c82644220ce17ebcd
-
SHA1
294f41577e9abaaf39c61d079ed407021d421eff
-
SHA256
b866e642c8167ffbeb5d55df5ea8bf2c5e565fd05242ed2a2934a6ca48745153
-
SHA512
a28e112be646337b3848da600823830c2d70e67749dd7402c35643f8af294ef333a2a85e0d50236a3349884dfaab1a3ed570ff8c24ce28f6fe552fc7d1bf9451
-
SSDEEP
12288:mon6F+DfZxL4+Dir8lkQ5z4hbAmKFX4GfOs5VBNYRbWAUWWvoYPiwBPhKwnONVvo:mon6F+DRt4Tr8lkBh8p2QOUDKw9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
isoburn.exepid process 1332 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 2028 wrote to memory of 1332 2028 cmd.exe isoburn.exe PID 2028 wrote to memory of 1332 2028 cmd.exe isoburn.exe PID 2028 wrote to memory of 1332 2028 cmd.exe isoburn.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AR37.iso1⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\AR37.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1332