09dede775ba5d3440038634552e44061c779a531139b685610972a76f2a78ca1

Resubmissions

20/12/2022, 14:04

221220-rdrgeach8z 10

20/12/2022, 13:54

221220-q7t9qach6w 3

Analysis

max time kernel
125s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/12/2022, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Summary_7566182_12202022.img
Size

1.6MB
MD5

f6f3320f5b8fb43eb56810ddbf392b32
SHA1

5985f18fcee5044f2c7f4a5852aeb7538a57188f
SHA256

09dede775ba5d3440038634552e44061c779a531139b685610972a76f2a78ca1
SHA512

8a3749384491d9e52b733c81ea8bb12aac2959f7642ccff4829baf7d8c7aec7f06c5a640fbb5d46b7a533eb5a0db52705bd37cf65453068eb5d4f1857edb096b
SSDEEP

6144:8sK8UXXfATbrOQBOs5QpxL66KiHpKlVfvBPA3BKyDGQVu/QNUWxk:8sK8UXXwrMyzPVpPqtGCuoN2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1820	1044	cmd.exe	28
PID 1044 wrote to memory of 1820	1044	cmd.exe	28
PID 1044 wrote to memory of 1820	1044	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Summary_7566182_12202022.img
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Summary_7566182_12202022.img"
  2⤵
  PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-54-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download