9f090c29601ba885046be32e77f4f8255f2d8b16440e018a0e17e392e0e1bcf5

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 08:18

Target

SX45.iso
Size

848KB
MD5

796a11d76347e917680acc31f7349e88
SHA1

4f327071d02171241245612aa57921c589afe410
SHA256

9f090c29601ba885046be32e77f4f8255f2d8b16440e018a0e17e392e0e1bcf5
SHA512

f20618497214da2207922ee23c3c82f529661e65d3d6d55fcac00857b4b829418d89d48b1037240289670e68f2a715cc27e1cb07b62ed8162d03c2bb9d9f8d40
SSDEEP

12288:toJVN9gjGfBlJYUWlaVxbYUGOpGPq1Tu/VxdZlUP9Xq4F/9:toJVN9gjk7W8wWpD9u/VLM9Xq4n

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 1284	1700	cmd.exe	isoburn.exe
PID 1700 wrote to memory of 1284	1700	cmd.exe	isoburn.exe
PID 1700 wrote to memory of 1284	1700	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SX45.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\SX45.iso"
  2⤵
  PID:1284

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1284-76-0x0000000000000000-mapping.dmp

Download
memory/1700-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download