4afaf73946ec0b7068a2836660627a65ff1d38ca6db2447b167b021bc88c4aaa

Analysis

max time kernel
131s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 10:03

Target

AR01.iso
Size

842KB
MD5

d2ea210debc462d72dc6fbef6e71941b
SHA1

a7df476dd1fd5ef0054f3198715f3fb12e21a097
SHA256

4afaf73946ec0b7068a2836660627a65ff1d38ca6db2447b167b021bc88c4aaa
SHA512

6d9681281cf2fb1530f3f87331df18a22f26a0d1705a3ac26f57bd6b3f6705db07d2194e67e8d67336e576131f2513bb6efd0b47cab3ef6337e7a91296c96454
SSDEEP

24576:CN5K8zWcCTiUQsC3bpWbYGQajBp6Pi1YWaw4:YK8IC3bUbzQaNpx1Da

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

isoburn.exe

pid process

320 isoburn.exe

pid	process
320	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1348 wrote to memory of 320	1348	cmd.exe	isoburn.exe
PID 1348 wrote to memory of 320	1348	cmd.exe	isoburn.exe
PID 1348 wrote to memory of 320	1348	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AR01.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\AR01.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:320

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/320-76-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download