b12345efe24c330c9c201143bb0dd2699eec0dd108728b02a4df9c4b61718be9

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QJ98.iso
Size

848KB
MD5

73d701cac3da7a4ba9fa383324dbc3fe
SHA1

6e090fa925d1ebdaa7b2ec410f25b4cbfe1e247a
SHA256

b12345efe24c330c9c201143bb0dd2699eec0dd108728b02a4df9c4b61718be9
SHA512

0e1161fbb681dce08069b03c1bd37a2c6bd6e0f9be6dfc96dfa85f111e4e42010f61dd96059846d93c05ae8d35355a8aa0cc225f9922324be0908dc7f82159a0
SSDEEP

12288:QojVN9gjGfBl6YUWlaVxbYUGOpGPq1Tu/VxdZlUP9Xq4F/9:QojVN9gjkSW8wWpD9u/VLM9Xq4n

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 2004	1948	cmd.exe	isoburn.exe
PID 1948 wrote to memory of 2004	1948	cmd.exe	isoburn.exe
PID 1948 wrote to memory of 2004	1948	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\QJ98.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\QJ98.iso"
2⤵
PID:2004

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/2004-76-0x0000000000000000-mapping.dmp

Download