729bab0c3c0e5fc33b56f2d645e5f75791b307cefe9df976ca41f22028e66c36

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 03:02

Target

SY47.iso
Size

970KB
MD5

29e17166ce121051c53ab529afe3cd89
SHA1

dfd3f52cb5042b2862d668fffbb88125c1548e6e
SHA256

729bab0c3c0e5fc33b56f2d645e5f75791b307cefe9df976ca41f22028e66c36
SHA512

7fa71fd5c73afd201da976adc4654bfdc114fa5bdc15bf1fc1fbc6d28a9b405669522e0ab2928bd7357adc1184842fc2b6fb0d08b4406e700e7d0393af73b4b4
SSDEEP

12288:cov6F+DfZxL4+Dir8lkQ5z4hbEmKFX4GfOs5VBNYRbWAUWWvoYPiwBPhKwnONVvo:cov6F+DRt4Tr8lkBhQp2QOUDKw9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 1788	2044	cmd.exe	isoburn.exe
PID 2044 wrote to memory of 1788	2044	cmd.exe	isoburn.exe
PID 2044 wrote to memory of 1788	2044	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SY47.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\SY47.iso"
  2⤵
  PID:1788

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1788-76-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download