Analysis
-
max time kernel
127s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19-11-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
ContractCopy_YZ62.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ContractCopy_YZ62.iso
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
ContractCopy.js
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
ContractCopy.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
addled/soloists.dll
Resource
win7-20220812-en
General
-
Target
ContractCopy_YZ62.iso
-
Size
1.2MB
-
MD5
f7ca9a8048e534b3fcb6c8f66654e63a
-
SHA1
3e7d3cd4fb07b0f3d3305afdc18e1a57b0d34a3a
-
SHA256
1821daab4216388a07240299c9d93478a49874b5c776e297e27fc4d7553229fa
-
SHA512
a36dc6b0ac552ff1742b8b69f34bc50feb4925d3de077993c246093f7ce74910198ebd92469e473ccab356ef36c40772992bed70ea336020f5ce2b30d1df6e3a
-
SSDEEP
24576:5oGd7QUoTzEWdfwTTn3M9XqdXJDi317qne:BVU4Wdf6M9XmXFi317qne
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 664 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1456 wrote to memory of 664 1456 cmd.exe 29 PID 1456 wrote to memory of 664 1456 cmd.exe 29 PID 1456 wrote to memory of 664 1456 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ContractCopy_YZ62.iso1⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\ContractCopy_YZ62.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:664
-