Analysis
-
max time kernel
130s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18-11-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
CD21.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
CD21.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
WW.js
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
WW.js
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
animators/sidecars.dll
Resource
win7-20220812-en
General
-
Target
CD21.iso
-
Size
970KB
-
MD5
c554bd7e4ad745497718695fa006201e
-
SHA1
6eb7fbdd293e9b3ead6d6f91bf6f0a93e36ce98f
-
SHA256
7333f51c6d2fb4d10522d083b8f47ff2340263057ca4719f1bc4c2edb66030eb
-
SHA512
ed9af9f259b385ed28f1b7c58a2cf9794c869b59c333e5273c37035aefa8b857959fac4af4073bdc3c584ecc610df5b1a6b2bde60f85d8a8f74519705e1531b2
-
SSDEEP
12288:ZouKwnON76F+DfZxL4+Dir8lkQ5z4hbNmKFX4GfOs5VBNYRbWAUWWvoYPiwBP2vo:ZouKwW6F+DRt4Tr8lkBhpp2QOUZ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
isoburn.exepid process 432 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1232 wrote to memory of 432 1232 cmd.exe isoburn.exe PID 1232 wrote to memory of 432 1232 cmd.exe isoburn.exe PID 1232 wrote to memory of 432 1232 cmd.exe isoburn.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\CD21.iso1⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\CD21.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:432