Analysis
-
max time kernel
126s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18-11-2022 15:13
Static task
static1
Behavioral task
behavioral1
Sample
ZB59.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ZB59.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
SK.js
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
SK.js
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
manacle/flown.dll
Resource
win7-20220812-en
General
-
Target
ZB59.iso
-
Size
842KB
-
MD5
3fbeb76592de2fcc1f768d95d35b9cdc
-
SHA1
174c29f3f99da3f18435302b3f023125f330087c
-
SHA256
bc958b315bc19d060072a6562b7f37de5b58fe016ea90d97afc8508a975a3038
-
SHA512
ac2e8a0ab8a5a472a160b6049ac1b7150c289cbe7731a1277f44b5520cfcd823311a46de617f12619a79456a65d9a2b71961d1f293bfcd9db67421d40519ffc3
-
SSDEEP
24576:zN5K8zWcCTiuQsC3bpWbYGQajBp6Pi1YWaw4:bK8I83bUbzQaNpx1Da
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
isoburn.exepid process 1396 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1260 wrote to memory of 1396 1260 cmd.exe isoburn.exe PID 1260 wrote to memory of 1396 1260 cmd.exe isoburn.exe PID 1260 wrote to memory of 1396 1260 cmd.exe isoburn.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ZB59.iso1⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\ZB59.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1396