45a32a4a46e916adfb5017ef80f07b7410f04879cd75193fedce951ba1751ced

Analysis

max time kernel
289s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

maple/assets/config.json
Size

149B
MD5

ee9db446b33f463ca8f558873c6fff7e
SHA1

d40efe04626a430d9c9c1b8db90dbd1110d8e2f8
SHA256

09962830609b0d1d5b286ad3e178245cfc152caa278d660b5b0a3dc21559547e
SHA512

7babaeb3edf9a7fcb9da804c5c1c53ce8abfeb91f83774a60bd538ca3c0bb4afb29f0afeb4ebb00bb51575a8c8d7011900367b92643925a1e585f2e73fba86d8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

928 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3756 OpenWith.exe

pid	process
928	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

OpenWith.exe

pid	process
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe
3756	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

OpenWith.exe

description	pid	process	target process
PID 3756 wrote to memory of 928	3756	OpenWith.exe	NOTEPAD.EXE
PID 3756 wrote to memory of 928	3756	OpenWith.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\maple\assets\config.json
1⤵
- Modifies registry class
PID:2696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\maple\assets\config.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads