Overview
overview
3Static
static
1cffi-1.16....64.zip
windows7-x64
1cffi-1.16....64.zip
windows10-2004-x64
1_cffi_back...gnu.so
ubuntu-22.04-amd64
1cffi-1.16....ICENSE
windows7-x64
1cffi-1.16....ICENSE
windows10-2004-x64
1cffi-1.16....TADATA
windows7-x64
1cffi-1.16....TADATA
windows10-2004-x64
1cffi-1.16....RECORD
windows7-x64
1cffi-1.16....RECORD
windows10-2004-x64
1cffi-1.16..../WHEEL
windows7-x64
1cffi-1.16..../WHEEL
windows10-2004-x64
1cffi-1.16....ts.txt
windows7-x64
1cffi-1.16....ts.txt
windows10-2004-x64
1cffi-1.16....el.txt
windows7-x64
1cffi-1.16....el.txt
windows10-2004-x64
1cffi/__init__.py
windows7-x64
3cffi/__init__.py
windows10-2004-x64
3cffi/_cffi_errors.h
windows7-x64
3cffi/_cffi_errors.h
windows10-2004-x64
3cffi/_cffi_include.h
windows7-x64
3cffi/_cffi_include.h
windows10-2004-x64
3cffi/_embedding.h
windows7-x64
3cffi/_embedding.h
windows10-2004-x64
3cffi/_imp_...ion.py
windows7-x64
3cffi/_imp_...ion.py
windows10-2004-x64
3cffi/_shim...ils.py
windows7-x64
3cffi/_shim...ils.py
windows10-2004-x64
3cffi/api.py
windows7-x64
3cffi/api.py
windows10-2004-x64
3cffi/backe...pes.py
windows7-x64
3cffi/backe...pes.py
windows10-2004-x64
3cffi/cffi_opcode.py
windows7-x64
3Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 06:10
Static task
static1
Behavioral task
behavioral1
Sample
cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.zip
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.zip
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
_cffi_backend.cpython-39-x86_64-linux-gnu.so
Resource
ubuntu2204-amd64-20240522.1-en
ubuntu-22.04-amd64
Behavioral task
behavioral4
Sample
cffi-1.16.0.dist-info/LICENSE
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral5
Sample
cffi-1.16.0.dist-info/LICENSE
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
cffi-1.16.0.dist-info/METADATA
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral7
Sample
cffi-1.16.0.dist-info/METADATA
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
cffi-1.16.0.dist-info/RECORD
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral9
Sample
cffi-1.16.0.dist-info/RECORD
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
cffi-1.16.0.dist-info/WHEEL
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral11
Sample
cffi-1.16.0.dist-info/WHEEL
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
cffi-1.16.0.dist-info/entry_points.txt
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral13
Sample
cffi-1.16.0.dist-info/entry_points.txt
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
cffi-1.16.0.dist-info/top_level.txt
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral15
Sample
cffi-1.16.0.dist-info/top_level.txt
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
cffi/__init__.py
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
cffi/__init__.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
cffi/_cffi_errors.h
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral19
Sample
cffi/_cffi_errors.h
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
cffi/_cffi_include.h
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral21
Sample
cffi/_cffi_include.h
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
cffi/_embedding.h
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral23
Sample
cffi/_embedding.h
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
cffi/_imp_emulation.py
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral25
Sample
cffi/_imp_emulation.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
cffi/_shimmed_dist_utils.py
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral27
Sample
cffi/_shimmed_dist_utils.py
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
cffi/api.py
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral29
Sample
cffi/api.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
cffi/backend_ctypes.py
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral31
Sample
cffi/backend_ctypes.py
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
cffi/cffi_opcode.py
Resource
win7-20240220-en
windows7-x64
General
-
Target
cffi/_cffi_errors.h
-
Size
3KB
-
MD5
64efe54b03e5ae3a4da6775598600f51
-
SHA1
d9e39b52a6ac381c482234ee5b50883c364f0422
-
SHA256
cd05edeee47f9bc8145be7c8da1260d0aa129091705eff111949040d9d7bedd4
-
SHA512
fcb69759b1dda6c2a4982f847b72a54dfe51bb30025d85121c26645d1fe1b9ce56eb9e2942445d7b071b8812d0f3761460d579a9f3c369ae3af1b287e2b964ad
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file\shell\edit\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.h rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.h\ = "h_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\h_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2440 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2536 2872 cmd.exe 29 PID 2872 wrote to memory of 2536 2872 cmd.exe 29 PID 2872 wrote to memory of 2536 2872 cmd.exe 29 PID 2536 wrote to memory of 2440 2536 rundll32.exe 30 PID 2536 wrote to memory of 2440 2536 rundll32.exe 30 PID 2536 wrote to memory of 2440 2536 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cffi\_cffi_errors.h1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cffi\_cffi_errors.h2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cffi\_cffi_errors.h3⤵
- Opens file in notepad (likely ransom note)
PID:2440
-
-