Analysis
-
max time kernel
127s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18-11-2022 13:42
Static task
static1
Behavioral task
behavioral1
Sample
QL63.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
QL63.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
SK.js
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
SK.js
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
manacle/tries.dll
Resource
win7-20220901-en
General
-
Target
QL63.iso
-
Size
842KB
-
MD5
91e742988dfaf22dd473b2595a0fb1f2
-
SHA1
537c12d3dd983bddc03aa80e09d7384c575485fe
-
SHA256
9e1abf9980ebc84d56b0c780b9fce0c401cfacc66e014f3be1d25564d4763477
-
SHA512
58b63510eb651f7d82b78fd4f3e1eb87784859d73bdddf0ec74f8f6094e74832508306ed3657b93a4335358ca4ef8c1e2e610f6ed48f794051d5dfa9f170d763
-
SSDEEP
24576:INdpOK8zWcCTisQsC3BbYGQajBp6Pi1YWaw4:EQK8Ie3BbzQaNpx1Da
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
isoburn.exepid process 876 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1744 wrote to memory of 876 1744 cmd.exe isoburn.exe PID 1744 wrote to memory of 876 1744 cmd.exe isoburn.exe PID 1744 wrote to memory of 876 1744 cmd.exe isoburn.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\QL63.iso1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\QL63.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:876
-