Overview
overview
3Static
static
1cffi-1.16....64.zip
windows7-x64
1cffi-1.16....64.zip
windows10-2004-x64
1_cffi_back...gnu.so
ubuntu-22.04-amd64
1cffi-1.16....ICENSE
windows7-x64
1cffi-1.16....ICENSE
windows10-2004-x64
1cffi-1.16....TADATA
windows7-x64
1cffi-1.16....TADATA
windows10-2004-x64
1cffi-1.16....RECORD
windows7-x64
1cffi-1.16....RECORD
windows10-2004-x64
1cffi-1.16..../WHEEL
windows7-x64
1cffi-1.16..../WHEEL
windows10-2004-x64
1cffi-1.16....ts.txt
windows7-x64
1cffi-1.16....ts.txt
windows10-2004-x64
1cffi-1.16....el.txt
windows7-x64
1cffi-1.16....el.txt
windows10-2004-x64
1cffi/__init__.py
windows7-x64
3cffi/__init__.py
windows10-2004-x64
3cffi/_cffi_errors.h
windows7-x64
3cffi/_cffi_errors.h
windows10-2004-x64
3cffi/_cffi_include.h
windows7-x64
3cffi/_cffi_include.h
windows10-2004-x64
3cffi/_embedding.h
windows7-x64
3cffi/_embedding.h
windows10-2004-x64
3cffi/_imp_...ion.py
windows7-x64
3cffi/_imp_...ion.py
windows10-2004-x64
3cffi/_shim...ils.py
windows7-x64
3cffi/_shim...ils.py
windows10-2004-x64
3cffi/api.py
windows7-x64
3cffi/api.py
windows10-2004-x64
3cffi/backe...pes.py
windows7-x64
3cffi/backe...pes.py
windows10-2004-x64
3cffi/cffi_opcode.py
windows7-x64
3Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 06:10
Static task
static1
Behavioral task
behavioral1
Sample
cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.zip
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.zip
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
_cffi_backend.cpython-39-x86_64-linux-gnu.so
Resource
ubuntu2204-amd64-20240522.1-en
ubuntu-22.04-amd64
Behavioral task
behavioral4
Sample
cffi-1.16.0.dist-info/LICENSE
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral5
Sample
cffi-1.16.0.dist-info/LICENSE
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
cffi-1.16.0.dist-info/METADATA
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral7
Sample
cffi-1.16.0.dist-info/METADATA
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
cffi-1.16.0.dist-info/RECORD
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral9
Sample
cffi-1.16.0.dist-info/RECORD
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
cffi-1.16.0.dist-info/WHEEL
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral11
Sample
cffi-1.16.0.dist-info/WHEEL
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
cffi-1.16.0.dist-info/entry_points.txt
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral13
Sample
cffi-1.16.0.dist-info/entry_points.txt
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
cffi-1.16.0.dist-info/top_level.txt
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral15
Sample
cffi-1.16.0.dist-info/top_level.txt
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
cffi/__init__.py
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
cffi/__init__.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
cffi/_cffi_errors.h
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral19
Sample
cffi/_cffi_errors.h
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
cffi/_cffi_include.h
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral21
Sample
cffi/_cffi_include.h
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
cffi/_embedding.h
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral23
Sample
cffi/_embedding.h
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
cffi/_imp_emulation.py
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral25
Sample
cffi/_imp_emulation.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
cffi/_shimmed_dist_utils.py
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral27
Sample
cffi/_shimmed_dist_utils.py
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
cffi/api.py
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral29
Sample
cffi/api.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
cffi/backend_ctypes.py
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral31
Sample
cffi/backend_ctypes.py
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
cffi/cffi_opcode.py
Resource
win7-20240220-en
windows7-x64
General
-
Target
cffi/_embedding.h
-
Size
18KB
-
MD5
64e443865cfe855e8f7e380f9b2a930a
-
SHA1
31ce0831be44bed9ea8257d736a22657af5ccdb6
-
SHA256
4049ab24a941fd6d950bad350a38f27ccbb1b60ccf430c042859703021876d3d
-
SHA512
e71b370a1c12cfc421f7d67dc035249ec86094cd44e0d1555278a94c1926021c82698321f0c6f1340d040db0690af80384e1bef56b3c06c0217e57473c04d107
-
SSDEEP
384:6Z8K0UfQUsVmxEKitt1Fo60VMIOpUA37OSmXNuDQxeOebie8sOHWx6tUm+8wH:XWfNNIIImoDQxeOebdHx6Um+8wH
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.h rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\h_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.h\ = "h_auto_file" rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2456 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2276 2164 cmd.exe 29 PID 2164 wrote to memory of 2276 2164 cmd.exe 29 PID 2164 wrote to memory of 2276 2164 cmd.exe 29 PID 2276 wrote to memory of 2456 2276 rundll32.exe 30 PID 2276 wrote to memory of 2456 2276 rundll32.exe 30 PID 2276 wrote to memory of 2456 2276 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cffi\_embedding.h1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cffi\_embedding.h2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cffi\_embedding.h3⤵
- Opens file in notepad (likely ransom note)
PID:2456
-
-