4c3a0890ad64140fc946ed7fc4656721a051c805c46821463386f31a9f74c125

General

Target

Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
Size

266.6MB
MD5

e3960990152e104d016c4b8a05dc76ac
SHA1

8c5dfd0e9f37813d5168952432e914fe46fd0e4e
SHA256

f0440e7b72c0a54c815f09487afd1fe19f26a7c3616810402f6675af8ee08220
SHA512

e94ee98dd2102276d06ab074d2ca550dbb238895eaa9588df8aa97bfdecc85d0db36daa4ea7bce8edd68afe69852fc119a294043aedd496e4fab0732bdfc74b3
SSDEEP

98304:6NPgYs1HlKS+bjACZY3NoWHu7PcaHfVxv11m3ISv:6qYs1IMCyaHfVxN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
544	RtkDevChargerzSuplyuSuply.exe

Loads dropped DLL 1 IoCs

pid	Process
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
544	RtkDevChargerzSuplyuSuply.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 544	1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe	29
PID 1656 wrote to memory of 544	1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe	29
PID 1656 wrote to memory of 544	1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe	29
PID 1656 wrote to memory of 544	1656	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe	29

C:\Users\Admin\AppData\Local\Temp\Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
"C:\Users\Admin\AppData\Local\Temp\Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656
- C:\ProgramData\RtkDevChargerwfUpdater\RtkDevChargerzSuplyuSuply.exe
  "C:\ProgramData\RtkDevChargerwfUpdater\RtkDevChargerzSuplyuSuply.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:544
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RtkDevChargerwfUpdater\EgxQriPunetremFhcylhFhcyl.cfg

Filesize
378B

MD5
e47d9226293d8db088dda627cc6e4c5a

SHA1
754c9a4c0dc439b8d28e79906f107447161846f9

SHA256
18336539ef5e09d409a7c8344070aba447520ee59088f3cc722a623370dd0b24

SHA512
a523ec2d31e53a5f2dff8b8614c36e637f93e0c858852f299c722bc945ec0e182d58ab7cfca953a6fe88002e37a0bcdcb411896736215629562f6e0c54abc165

Download Submit
C:\ProgramData\RtkDevChargerwfUpdater\EgxQriPunetremFhcylhFhcyl.cfg

Filesize
278B

MD5
0d3f6789ff8a64b80ded97e55b680f28

SHA1
c8c0ccb01874ebed40c13d063b1a80fea8305f36

SHA256
851f442e6738befe7d735aa34a82bcd8c7d1ea33399835c9490a932cde9bfa3b

SHA512
cf187abf245ddee38393d1dfa1b8a087c37a413820b9c6e51bede9fb48c7ffe795897c8a2a4a23317c1011d7f6ac9f6c2ac288134d4a35bcb3ec3aadde5de364

Download Submit
C:\ProgramData\RtkDevChargerwfUpdater\RtkDevChargerzSuplyuSuply.exe

Filesize
189.1MB

MD5
4c7bdfa6d2d3005cacfa66b6ef6e56fd

SHA1
0878042c751421ce425a921535ae0e55ef51351d

SHA256
7e85bc62d04c79f143028557e40b59b35f37ea40af0e28bfa0922af4211cac94

SHA512
4cf296b1de49200a7d49b3df04e44a8c907a2b00cbbd8d739cd92b2df54190c66a8cd43508dc74bfac4d235faf3a82c23f8e0d41952c1fa201332f614ab88f08

Download Submit
C:\ProgramData\RtkDevChargerwfUpdater\RtkDevChargerzSuplyuSuply.exe

Filesize
185.6MB

MD5
65989e924a4a4d6432dec0b80df6bbc7

SHA1
45c250ceecc953f78843e31378847502a38a8ec6

SHA256
53c39df752da0b4de4899a02f862cfb43fbc60f0689c977cdc9b235189209214

SHA512
4123672daed1d0bf9859279da056d5e156fd1f9fc22099c4fbd05a583273a1598512f6240c6a320a22c1d09013f6075b0cfda50c99f00187c461e9445aff8c2c

Download Submit
C:\ProgramData\RtkDevChargerwfUpdater\RtkDevChargerzSuplyuSuply.exe

Filesize
189.4MB

MD5
5a694b06262cbcfc334bd250a6cc3088

SHA1
200f7d98a3880d4c33c9b701f3756ccb5d34280f

SHA256
2478449b3cffc8b46e17dc2f02060f318d61d6b43a80796855af8a3a7b6583ad

SHA512
4d64af321c221c5aec62febc43f469be049516fbe18b5a585c16c96df858475b2d9bcd3eb4157a99dc3d845da25abe61dc7421014d7ec1d8b2e18e0e8995de34

Download Submit
\ProgramData\RtkDevChargerwfUpdater\RtkDevChargerzSuplyuSuply.exe

Filesize
228.4MB

MD5
4932299d548913728ef258a0b656265d

SHA1
ab15b5d9e34ec2f03ad3a3a45e5fde7c15181db4

SHA256
40e5611ed3ee047c289c5ee5cbe10ed8eab7cfb81e02c67f5e782a6a558986d7

SHA512
501d07ce9c86a99aed570a50a1362d5333a864d1f7ffafd7c85e85c1b93092d09ef49c4dc9096125659f9215807ee1ed656a6fd1047ebbea48024a3940bcc5f4

Download Submit
memory/544-85-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/544-81-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/544-121-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/544-87-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/544-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/544-82-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/544-79-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1656-70-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1656-78-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1656-54-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1656-61-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1656-60-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1656-119-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1656-55-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1656-62-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing