64f78d4d0048a18742efd4d8d626b071b50e6b5487ef9553d5f955793630ca82

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 11:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ruffle.exe
Size

25.4MB
MD5

a13d4c44b37b5b8581d711913e60dda0
SHA1

dd156b114ef90a6339e9e56514053f3f5b01ef58
SHA256

0be0280db3d2fc970d7ff5bf738323bec83779ed9b14ef0559b6b27ad83055c2
SHA512

185180c3cc81c051b46e318ccc0c764d55418a68ed471b00f0042115c39a20ec43b5b9d28aa6cdf5630f8c5e3196e7fb7fa4c6578a5aefa694324ce5b7f73abc
SSDEEP

196608:KnAfJ38sNwW4gtfSYO8QthaARfp/nks0dLAw5Kw3rkI9YfDgbeh8OFRaCabZldhZ:IAfOfoqw3rkIeZJNtOvXhf

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	ruffle.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	ruffle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ruffle.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ruffle.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3044	ruffle.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3044	ruffle.exe

C:\Users\Admin\AppData\Local\Temp\ruffle.exe
"C:\Users\Admin\AppData\Local\Temp\ruffle.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3044-0-0x000001FA10560000-0x000001FA10561000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x000001FA10560000-0x000001FA10561000-memory.dmp

Filesize
4KB

Download
memory/3044-2-0x000001FA10560000-0x000001FA10561000-memory.dmp

Filesize
4KB

Download
memory/3044-5-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-4-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-3-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-11-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-10-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-9-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-18-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-25-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-24-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-23-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-22-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-21-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-20-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-19-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-17-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-16-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-15-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-14-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-13-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download
memory/3044-12-0x000001FA14620000-0x000001FA14622000-memory.dmp

Filesize
8KB

Download