c7d3f799015e5372929825edcd99d8b47b480ae707638a7d1a90edfbdc0af568

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 15:16

Target

Agreement_KOA16.iso
Size

662KB
MD5

dc68236d27e1d850413758a191153a99
SHA1

44a8277591b02fcec0b5e9e4880ccb867e29692a
SHA256

c7d3f799015e5372929825edcd99d8b47b480ae707638a7d1a90edfbdc0af568
SHA512

7ee8b242fc0aaf32970528f88c954a01ea4351a5bfd3208f57da370b136a2610951ce513c0412437cd5bbf7d6dfe25b89147f549098171f1d80aedf6bd63bfda
SSDEEP

12288:XNv6E1YF7P01JSdCLjqa/9ANdMxgligH8QLxwOQH:XNv6VP0/Ssfh9AUMFLxSH

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 1904	1096	cmd.exe	isoburn.exe
PID 1096 wrote to memory of 1904	1096	cmd.exe	isoburn.exe
PID 1096 wrote to memory of 1904	1096	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Agreement_KOA16.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Agreement_KOA16.iso"
  2⤵
  PID:1904

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1096-54-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download
memory/1904-76-0x0000000000000000-mapping.dmp

Download