Overview
overview
3Static
static
1cffi-1.16....64.zip
windows7-x64
1cffi-1.16....64.zip
windows10-2004-x64
1_cffi_back...gnu.so
ubuntu-22.04-amd64
1cffi-1.16....ICENSE
windows7-x64
1cffi-1.16....ICENSE
windows10-2004-x64
1cffi-1.16....TADATA
windows7-x64
1cffi-1.16....TADATA
windows10-2004-x64
1cffi-1.16....RECORD
windows7-x64
1cffi-1.16....RECORD
windows10-2004-x64
1cffi-1.16..../WHEEL
windows7-x64
1cffi-1.16..../WHEEL
windows10-2004-x64
1cffi-1.16....ts.txt
windows7-x64
1cffi-1.16....ts.txt
windows10-2004-x64
1cffi-1.16....el.txt
windows7-x64
1cffi-1.16....el.txt
windows10-2004-x64
1cffi/__init__.py
windows7-x64
3cffi/__init__.py
windows10-2004-x64
3cffi/_cffi_errors.h
windows7-x64
3cffi/_cffi_errors.h
windows10-2004-x64
3cffi/_cffi_include.h
windows7-x64
3cffi/_cffi_include.h
windows10-2004-x64
3cffi/_embedding.h
windows7-x64
3cffi/_embedding.h
windows10-2004-x64
3cffi/_imp_...ion.py
windows7-x64
3cffi/_imp_...ion.py
windows10-2004-x64
3cffi/_shim...ils.py
windows7-x64
3cffi/_shim...ils.py
windows10-2004-x64
3cffi/api.py
windows7-x64
3cffi/api.py
windows10-2004-x64
3cffi/backe...pes.py
windows7-x64
3cffi/backe...pes.py
windows10-2004-x64
3cffi/cffi_opcode.py
windows7-x64
3Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 06:10
Static task
static1
Behavioral task
behavioral1
Sample
cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.zip
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.zip
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
_cffi_backend.cpython-39-x86_64-linux-gnu.so
Resource
ubuntu2204-amd64-20240522.1-en
ubuntu-22.04-amd64
Behavioral task
behavioral4
Sample
cffi-1.16.0.dist-info/LICENSE
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral5
Sample
cffi-1.16.0.dist-info/LICENSE
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
cffi-1.16.0.dist-info/METADATA
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral7
Sample
cffi-1.16.0.dist-info/METADATA
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
cffi-1.16.0.dist-info/RECORD
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral9
Sample
cffi-1.16.0.dist-info/RECORD
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
cffi-1.16.0.dist-info/WHEEL
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral11
Sample
cffi-1.16.0.dist-info/WHEEL
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
cffi-1.16.0.dist-info/entry_points.txt
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral13
Sample
cffi-1.16.0.dist-info/entry_points.txt
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
cffi-1.16.0.dist-info/top_level.txt
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral15
Sample
cffi-1.16.0.dist-info/top_level.txt
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
cffi/__init__.py
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
cffi/__init__.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
cffi/_cffi_errors.h
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral19
Sample
cffi/_cffi_errors.h
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
cffi/_cffi_include.h
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral21
Sample
cffi/_cffi_include.h
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
cffi/_embedding.h
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral23
Sample
cffi/_embedding.h
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
cffi/_imp_emulation.py
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral25
Sample
cffi/_imp_emulation.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
cffi/_shimmed_dist_utils.py
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral27
Sample
cffi/_shimmed_dist_utils.py
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
cffi/api.py
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral29
Sample
cffi/api.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
cffi/backend_ctypes.py
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral31
Sample
cffi/backend_ctypes.py
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
cffi/cffi_opcode.py
Resource
win7-20240220-en
windows7-x64
General
-
Target
cffi/_cffi_include.h
-
Size
14KB
-
MD5
a9287a7d1b3e7ec308e503e42c97da96
-
SHA1
4a86476eb7298469702184888211a84d65d2133a
-
SHA256
b4a9c0d6b752a0f1e9db71670cbd660c6c05a3e523e9f5df03abc0ea47281147
-
SHA512
e0833e9f7571b5677948f340fa996adbc853a33cefdd53726855ac8753bc0519124c89daaff99c41c52f5f4b7a3566105c2e28697265836b10e5d662ddf6b9a0
-
SSDEEP
192:KlvoVFhPqMAzcXe1Yzv/uZRj3cpNUR5SlJN7RAh+2r2jSuJjSWoRUMS:TPBEcX87CUR5SxRu4mmmztS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.h rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.h\ = "h_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\h_auto_file\shell\edit rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2052 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2748 1876 cmd.exe 29 PID 1876 wrote to memory of 2748 1876 cmd.exe 29 PID 1876 wrote to memory of 2748 1876 cmd.exe 29 PID 2748 wrote to memory of 2052 2748 rundll32.exe 30 PID 2748 wrote to memory of 2052 2748 rundll32.exe 30 PID 2748 wrote to memory of 2052 2748 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cffi\_cffi_include.h1⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cffi\_cffi_include.h2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cffi\_cffi_include.h3⤵
- Opens file in notepad (likely ransom note)
PID:2052
-
-