9020250778de1720c3f97307f58baf9737dcf7af7969fd495e35bf97123f33a2

Analysis

max time kernel
37s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 00:29

Target

ZN89.iso
Size

970KB
MD5

9e8d69daed1345c197150ef103a59251
SHA1

b27eab40c99ebc0cbfb6a8c01af7e4ebc64e6c10
SHA256

9020250778de1720c3f97307f58baf9737dcf7af7969fd495e35bf97123f33a2
SHA512

5cbd3d24e90cad2ebac6c06ccb22b2f631fbb51460c40312f8b258b1d138a4455032de7bc76e0eb28c1b7d4f00289a6f7f652fef8b864f8df2df384b016a354d
SSDEEP

12288:noeKwnON76F+DfZxL4+Dir8lkQ5z4hbsmKFX4GfOs5VBNYRbWAUWWvoYPiwBP2vo:noeKwW6F+DRt4Tr8lkBhgp2QOUZ

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 1932	1452	cmd.exe	isoburn.exe
PID 1452 wrote to memory of 1932	1452	cmd.exe	isoburn.exe
PID 1452 wrote to memory of 1932	1452	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ZN89.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\ZN89.iso"
  2⤵
  PID:1932

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1452-54-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/1932-76-0x0000000000000000-mapping.dmp

Download