Analysis
-
max time kernel
127s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18-11-2022 14:12
Static task
static1
Behavioral task
behavioral1
Sample
YJ67.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
YJ67.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
SK.js
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
SK.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
manacle/fonder.dll
Resource
win7-20220901-en
General
-
Target
YJ67.iso
-
Size
842KB
-
MD5
580497b1f86577786404d70e280841ba
-
SHA1
f0314eec44a22942c9249c5835cecb73ebcb0668
-
SHA256
10c389561c1ba93694020485c9ba784a9fdba5382a0106cbeadc11ce110641e0
-
SHA512
fd2ee9ac809d178c4e593617fad7c24907151330def89b476e29e3adbf3955488c48a0244d8d5d781329fbf5755110ba2c990d3bc0e358d17b545ec34db0ff2a
-
SSDEEP
24576:iNVK8zWcCTiQQsC3bpWbYGQajBp6Pi1YWaw4:eK8Iy3bUbzQaNpx1Da
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
isoburn.exepid process 1260 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1572 wrote to memory of 1260 1572 cmd.exe isoburn.exe PID 1572 wrote to memory of 1260 1572 cmd.exe isoburn.exe PID 1572 wrote to memory of 1260 1572 cmd.exe isoburn.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\YJ67.iso1⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\YJ67.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1260