078d03f798ce2c658d0fc1267ba141e836ca618e136c8f01b778f1e8bfb3721b

Resubmissions

28-11-2022 19:10

28-11-2022 19:09

28-11-2022 15:04

max time kernel
430s
max time network
436s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 19:10

Target

AH-703.iso
Size

690KB
MD5

af9275a091121de13eaed391a65b620b
SHA1

17734a19fd3e944d207509bb1e178ad776651682
SHA256

078d03f798ce2c658d0fc1267ba141e836ca618e136c8f01b778f1e8bfb3721b
SHA512

33ce1006aab78e809380df98b9aa7f241953e377bdf826830485f0a0a28ae50798ba185c94e3fba0ea6cbb9ca69f882a21c7600b84c38002f4a46ce60ca0bc92
SSDEEP

12288:nm1Mcw5EO6dHvDe0P3lx5EBto8BkfzNbuTyGrC6N2c2mcsAMzRGBRA4cZD:UMFEO6dHvDe0P335EXpUNSleQ2cYCGLc

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 856 wrote to memory of 2000	856	cmd.exe	isoburn.exe
PID 856 wrote to memory of 2000	856	cmd.exe	isoburn.exe
PID 856 wrote to memory of 2000	856	cmd.exe	isoburn.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AH-703.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\AH-703.iso"
  2⤵
  PID:2000

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/856-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/2000-76-0x0000000000000000-mapping.dmp

Download