0f109b2e4b5f625e69c99461d706bc7e853441549cbad846a444474f1b3b60c2

Analysis

max time kernel
48s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 15:15

Target

NK64.iso
Size

842KB
MD5

3dae2bd479fbd88a58b7a84b79d0326b
SHA1

9b34c0a562bdb52cadc9d929d56dfb938f74b76e
SHA256

0f109b2e4b5f625e69c99461d706bc7e853441549cbad846a444474f1b3b60c2
SHA512

5392bd3da1272f477a8e5214fae9bba9c03ed7699179fa74622b65211664265cf19060aacbfbb7a175c213a0dd52a9bf7457b451c7cb838f14ff63cc1fc1952f
SSDEEP

24576:fNJK8zWcCTiaQsC3bpWbYGQajBp6Pi1YWaw4:fK8I43bUbzQaNpx1Da

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1328 wrote to memory of 1692	1328	cmd.exe	isoburn.exe
PID 1328 wrote to memory of 1692	1328	cmd.exe	isoburn.exe
PID 1328 wrote to memory of 1692	1328	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NK64.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\NK64.iso"
  2⤵
  PID:1692

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1328-54-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download