45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced

Analysis

max time kernel
62s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

maple/assets/config.json
Size

149B
MD5

ee9db446b33f463ca8f558873c6fff7e
SHA1

d40efe04626a430d9c9c1b8db90dbd1110d8e2f8
SHA256

09962830609b0d1d5b286ad3e178245cfc152caa278d660b5b0a3dc21559547e
SHA512

7babaeb3edf9a7fcb9da804c5c1c53ce8abfeb91f83774a60bd538ca3c0bb4afb29f0afeb4ebb00bb51575a8c8d7011900367b92643925a1e585f2e73fba86d8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
452	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid	Process
4320	OpenWith.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

OpenWith.exe

pid	Process
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe
4320	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

OpenWith.exe

description	pid	Process	procid_target
PID 4320 wrote to memory of 452	4320	OpenWith.exe	97
PID 4320 wrote to memory of 452	4320	OpenWith.exe	97

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\maple\assets\config.json
1⤵
- Modifies registry class
PID:4888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\maple\assets\config.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads