cf1b2bdaac9e409755a5c18612b93cdf4b9965ec639adef3bce83da88eb02d2a

Analysis

max time kernel
127s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 01:59

Target

NU64.iso
Size

842KB
MD5

67ac0e3d4e7bb08b9cf8abb0b92d316b
SHA1

796771e8133815958619a3603c8d14a7ad98c095
SHA256

cf1b2bdaac9e409755a5c18612b93cdf4b9965ec639adef3bce83da88eb02d2a
SHA512

8c81eace790d7e5dae2d32a3a3297591a7e923a0dca9b6d9fed6114465bfc71c4773e4ea121ced48969b07550f8a5e96f688fac830ef06beb1081db33c7f1c93
SSDEEP

24576:ONdpOK8zWcCTiFQsC3BbYGQajBp6Pi1YWaw4:eQK8Ih3BbzQaNpx1Da

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

748 isoburn.exe

pid	process
748	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1276 wrote to memory of 748	1276	cmd.exe	isoburn.exe
PID 1276 wrote to memory of 748	1276	cmd.exe	isoburn.exe
PID 1276 wrote to memory of 748	1276	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NU64.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\NU64.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:748

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/748-76-0x0000000000000000-mapping.dmp

Download
memory/1276-54-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp

Filesize
8KB

Download