Analysis
-
max time kernel
127s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18-11-2022 04:03
Static task
static1
Behavioral task
behavioral1
Sample
AB63.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
AB63.iso
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
WW.js
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
WW.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
animators/extrapolates.dll
Resource
win7-20221111-en
General
-
Target
AB63.iso
-
Size
970KB
-
MD5
728ca18376d08499c84ef75beaa30de5
-
SHA1
989d0f183ff6c188dc10aaf2d2685521dad61ead
-
SHA256
114c6067d10194b8638eba3f01e6c3e44576d09d74546b7014d637b352b10e23
-
SHA512
0b56d6ca945e01f46a1b73c5f2bae877827af44a06bd854c3a116fa3de621f5b5509e55d7a9d16d96a459c2a446f01b5a7d3a5b129b92a68b799f47a78639b1d
-
SSDEEP
12288:Mo16F+DfZxL4+Dir8lkQ5z4hbUmKFX4GfOs5VBNYRbWAUWWvoYPiwBPhKwnONVvo:Mo16F+DRt4Tr8lkBhQp2QOUDKw9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
isoburn.exepid process 692 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1220 wrote to memory of 692 1220 cmd.exe isoburn.exe PID 1220 wrote to memory of 692 1220 cmd.exe isoburn.exe PID 1220 wrote to memory of 692 1220 cmd.exe isoburn.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AB63.iso1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\AB63.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:692