96ccb8938cf27fb9ddea0785e93de813d8cda35ed259a9eb6033b3721e129903

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 05:04

Target

AP41.iso
Size

970KB
MD5

8ad36195876a68fe8da45ee232126612
SHA1

7346c1df50f690a49c04b2d579dea3e96dc18d2e
SHA256

96ccb8938cf27fb9ddea0785e93de813d8cda35ed259a9eb6033b3721e129903
SHA512

1c77bcec9f0a2bb415609e42250b1143a7139f788900dbe5e2a70ab14d14ac6bfc36edcfa4f08c0b8e954143c2dc341b326f81f696a2861a611042226027f131
SSDEEP

12288:5o36F+DfZxL4+Dir8lkQ5z4hbEmKFX4GfOs5VBNYRbWAUWWvoYPiwBPhKwnONVvo:5o36F+DRt4Tr8lkBhQp2QOUDKw9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 556	1104	cmd.exe	isoburn.exe
PID 1104 wrote to memory of 556	1104	cmd.exe	isoburn.exe
PID 1104 wrote to memory of 556	1104	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AP41.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\AP41.iso"
  2⤵
  PID:556

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/556-76-0x0000000000000000-mapping.dmp

Download
memory/1104-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download