Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/03/2023, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
Resource
win10v2004-20230220-en
General
-
Target
Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
-
Size
266.6MB
-
MD5
e3960990152e104d016c4b8a05dc76ac
-
SHA1
8c5dfd0e9f37813d5168952432e914fe46fd0e4e
-
SHA256
f0440e7b72c0a54c815f09487afd1fe19f26a7c3616810402f6675af8ee08220
-
SHA512
e94ee98dd2102276d06ab074d2ca550dbb238895eaa9588df8aa97bfdecc85d0db36daa4ea7bce8edd68afe69852fc119a294043aedd496e4fab0732bdfc74b3
-
SSDEEP
98304:6NPgYs1HlKS+bjACZY3NoWHu7PcaHfVxv11m3ISv:6qYs1IMCyaHfVxN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 544 RtkDevChargerzSuplyuSuply.exe -
Loads dropped DLL 1 IoCs
pid Process 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com 10 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 544 RtkDevChargerzSuplyuSuply.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1656 wrote to memory of 544 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 29 PID 1656 wrote to memory of 544 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 29 PID 1656 wrote to memory of 544 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 29 PID 1656 wrote to memory of 544 1656 Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe"C:\Users\Admin\AppData\Local\Temp\Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\ProgramData\RtkDevChargerwfUpdater\RtkDevChargerzSuplyuSuply.exe"C:\ProgramData\RtkDevChargerwfUpdater\RtkDevChargerzSuplyuSuply.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1944
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378B
MD5e47d9226293d8db088dda627cc6e4c5a
SHA1754c9a4c0dc439b8d28e79906f107447161846f9
SHA25618336539ef5e09d409a7c8344070aba447520ee59088f3cc722a623370dd0b24
SHA512a523ec2d31e53a5f2dff8b8614c36e637f93e0c858852f299c722bc945ec0e182d58ab7cfca953a6fe88002e37a0bcdcb411896736215629562f6e0c54abc165
-
Filesize
278B
MD50d3f6789ff8a64b80ded97e55b680f28
SHA1c8c0ccb01874ebed40c13d063b1a80fea8305f36
SHA256851f442e6738befe7d735aa34a82bcd8c7d1ea33399835c9490a932cde9bfa3b
SHA512cf187abf245ddee38393d1dfa1b8a087c37a413820b9c6e51bede9fb48c7ffe795897c8a2a4a23317c1011d7f6ac9f6c2ac288134d4a35bcb3ec3aadde5de364
-
Filesize
189.1MB
MD54c7bdfa6d2d3005cacfa66b6ef6e56fd
SHA10878042c751421ce425a921535ae0e55ef51351d
SHA2567e85bc62d04c79f143028557e40b59b35f37ea40af0e28bfa0922af4211cac94
SHA5124cf296b1de49200a7d49b3df04e44a8c907a2b00cbbd8d739cd92b2df54190c66a8cd43508dc74bfac4d235faf3a82c23f8e0d41952c1fa201332f614ab88f08
-
Filesize
185.6MB
MD565989e924a4a4d6432dec0b80df6bbc7
SHA145c250ceecc953f78843e31378847502a38a8ec6
SHA25653c39df752da0b4de4899a02f862cfb43fbc60f0689c977cdc9b235189209214
SHA5124123672daed1d0bf9859279da056d5e156fd1f9fc22099c4fbd05a583273a1598512f6240c6a320a22c1d09013f6075b0cfda50c99f00187c461e9445aff8c2c
-
Filesize
189.4MB
MD55a694b06262cbcfc334bd250a6cc3088
SHA1200f7d98a3880d4c33c9b701f3756ccb5d34280f
SHA2562478449b3cffc8b46e17dc2f02060f318d61d6b43a80796855af8a3a7b6583ad
SHA5124d64af321c221c5aec62febc43f469be049516fbe18b5a585c16c96df858475b2d9bcd3eb4157a99dc3d845da25abe61dc7421014d7ec1d8b2e18e0e8995de34
-
Filesize
228.4MB
MD54932299d548913728ef258a0b656265d
SHA1ab15b5d9e34ec2f03ad3a3a45e5fde7c15181db4
SHA25640e5611ed3ee047c289c5ee5cbe10ed8eab7cfb81e02c67f5e782a6a558986d7
SHA512501d07ce9c86a99aed570a50a1362d5333a864d1f7ffafd7c85e85c1b93092d09ef49c4dc9096125659f9215807ee1ed656a6fd1047ebbea48024a3940bcc5f4