723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3

Analysis

max time kernel
55s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/02/2023, 15:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3.iso
Size

2.2MB
MD5

02d605b7e07b9026104d8160602b0142
SHA1

4cfe21639c42e82ea97982c50b5e4f6788633a89
SHA256

723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3
SHA512

cba0899a9afdf703b05d0a16462269a75f77bd1eec8865f8579d6d9ef7f934f9ce6fc3274ff29bd23201dd2ac27e634bc7800152f46dd8cc4eb12cadaaf78eea
SSDEEP

24576:tA7siwwmIuhH3Pc64G/Jr9EgfCPrP6v/:tuTgdJr2S4i3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2020	AUDIODG.EXE
Token: 33	2020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2020	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2008	752	cmd.exe	28
PID 752 wrote to memory of 2008	752	cmd.exe	28
PID 752 wrote to memory of 2008	752	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3.iso"
  2⤵
  PID:2008

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download