Overview

overview

10

Static

static

11bce4f2dc...55.iso

windows7-x64

3

11bce4f2dc...55.iso

windows10-2004-x64

10

Analysis

  • max time kernel
    1121s
  • max time network
    1238s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355.iso

  • Size

    2.5MB

  • MD5

    f4235fde77119ac772a2730d55c49c54

  • SHA1

    a250adaf3d5a5c2cd4d5ad4390e4cecbe00b3dd7

  • SHA256

    11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355

  • SHA512

    c65b5bbba88cd96856766b1c9f3cce0d7ccedeb63164e165a50508cd2147b522994edaf271953ef19a41afdd7b92bae1aa45b1e5f7e18885a1e68d8012a55086

  • SSDEEP

    24576:/ndTy8pMlAshQiX5Qtme5hekk+t8cH21dFa8POIuTQO0nvpC2QQLVtIwkvME:VT+69d5hrkgp4OlT90nvpdL7kv

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355.iso
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\System32\isoburn.exe
      "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355.iso"
      2⤵
        PID:1440
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1216
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4f8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\System32\isoburn.exe
        "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355.iso"
        1⤵
          PID:888
        • C:\Program Files\7-Zip\7zG.exe
          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355\" -spe -an -ai#7zMap19148:208:7zEvent22325
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1504
        • C:\Program Files\7-Zip\7zFM.exe
          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355.iso"
          1⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1004
        • C:\Program Files\7-Zip\7zFM.exe
          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355.iso"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1736
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355.7z
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1856

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/580-54-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

          Filesize

          8KB

          Download