4e1bef93fe9a274fceb49e68298010781f952be7a526f2c34b42a0e9de100d6b

Analysis

max time kernel
127s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 11:02

Target

QE74.iso
Size

970KB
MD5

b97066193dbf3f493d37f63881ffda09
SHA1

2ca4aaa6361e37768ef025e90b800af11b02afc3
SHA256

4e1bef93fe9a274fceb49e68298010781f952be7a526f2c34b42a0e9de100d6b
SHA512

5f31f4e1e0cac2121b0745b14b5e6171e21675eb1f0d1a7194c9e79eeec4729ec983185296e7c445b5876273e925e7c7d1e1274e7316caca093001dcec59451a
SSDEEP

12288:xocKwnONVvoo6F+DfZxL4+Dir8lkQ5z4hbrmKFX4GfOs5VBNYRbWAUWWvoYPiwBP:xocKw9o6F+DRt4Tr8lkBhXp2QOU

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

756 isoburn.exe

pid	process
756	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 756	1736	cmd.exe	isoburn.exe
PID 1736 wrote to memory of 756	1736	cmd.exe	isoburn.exe
PID 1736 wrote to memory of 756	1736	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\QE74.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\QE74.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:756

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/756-76-0x0000000000000000-mapping.dmp

Download
memory/1736-54-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download