Malware Analysis Report

2025-08-05 16:29

Sample ID 240614-bdv7layeme
Target releaseBFH.rar
SHA256 3665af1e55f9422dba06d32dceffaa64cd8ad5f034eb7a8c92e2497d528a5f8e
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

3665af1e55f9422dba06d32dceffaa64cd8ad5f034eb7a8c92e2497d528a5f8e

Threat Level: Likely benign

The file releaseBFH.rar was found to be: Likely benign.

Malicious Activity Summary


Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:02

Reported

2024-06-14 01:03

Platform

win11-20240611-en

Max time kernel

4s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\releaseBFH.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\releaseBFH.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:02

Reported

2024-06-14 01:03

Platform

win11-20240419-en

Max time kernel

23s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\BFHSoft.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\BFHSoft.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 01:02

Reported

2024-06-14 01:03

Platform

win11-20240508-en

Max time kernel

15s

Max time network

27s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\READ.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 352 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\READ.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\READ.txt

Network

Files

N/A