911ce96aba1727454e86f95df4ce2adb30b07afd6b9f8813e961600cd3971df0

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2023 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fncfxb.au3.malware
Size

760KB
MD5

548b423833439879e2ef091a3b38fdd7
SHA1

fc7abba81f21bb68653983ce6770e3e3156ee62e
SHA256

bd8fc787abfebba8d167e9979c2ec692f861ab21ea138c3381daa852a58677be
SHA512

183df28fddd70493fb56f4654f1af30f0e046f8f04ec6aa40e8115ed2cabe1b7f1b71a9b4fe52d80f93cc30271f54c5f365b512d33b91f4ba79b3da20e541795
SSDEEP

12288:0GPp9+e8zj98hVcp64FV42p5ot4k6on9Nkt22oV64P3FmMmVxcxlMY1D:0GPplGp64FLSitoi22oV6w3FmMSxWl7J

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1960	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4484	OpenWith.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe
4484	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 1960	4484	OpenWith.exe	100
PID 4484 wrote to memory of 1960	4484	OpenWith.exe	100

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fncfxb.au3.malware
1⤵
- Modifies registry class
PID:4128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\fncfxb.au3.malware
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads