87a6c8d93a46da3487e69372704f9014a55ab43820d202b3bf58f28df1fa2bac

Analysis

max time kernel
39s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 14:42

Target

RJ01.iso
Size

842KB
MD5

0d156ab0973c1461a467b305264bc7e4
SHA1

b953b509d35f5c909774ec88db5920e68364792a
SHA256

87a6c8d93a46da3487e69372704f9014a55ab43820d202b3bf58f28df1fa2bac
SHA512

d76ae5bbce41e2a2febd8de5d394b4c9a2b8275f261722b6daa7ed54d024c844db8a650adb7a7e234698f66cf580f8c6ae7c97d26a36e81994a197c147b6f967
SSDEEP

24576:PNJK8zWcCTiRQsC3bpWbYGQajBp6Pi1YWaw4:vK8Ix3bUbzQaNpx1Da

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 900 wrote to memory of 1188	900	cmd.exe	isoburn.exe
PID 900 wrote to memory of 1188	900	cmd.exe	isoburn.exe
PID 900 wrote to memory of 1188	900	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RJ01.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\RJ01.iso"
  2⤵
  PID:1188

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/900-54-0x000007FEFC3B1000-0x000007FEFC3B3000-memory.dmp

Filesize
8KB

Download
memory/1188-76-0x0000000000000000-mapping.dmp

Download