4367007de8752a8e735f3092d0d574fe120ab6205b28a0ba3b125cd2ba906be7

Analysis

max time kernel
127s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/03/2023, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6.iso
Size

452KB
MD5

7facd87cedadc1c712112077b726d937
SHA1

4ad1261ec05a7184e9887ae186b72e1f8d45e49f
SHA256

4367007de8752a8e735f3092d0d574fe120ab6205b28a0ba3b125cd2ba906be7
SHA512

b0105466cc3eb3b8530b6a661630b10997bdfe14d5976c6281b2eb43368d9b506bcd68dd4b1bf3e9ccee0cf60c4091d63cd67d02b2759fdc73640c56dd01f644
SSDEEP

6144:BZm442EzPa3Ym+ue9hYfB/1R+Z0o79GYAy2eISP6WZREgK9:BM2ui3Y3hYBPuPcpyPISPrIgK9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	isoburn.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1292	1724	cmd.exe	29
PID 1724 wrote to memory of 1292	1724	cmd.exe	29
PID 1724 wrote to memory of 1292	1724	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\6.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\6.iso"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-78-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download