4c3a0890ad64140fc946ed7fc4656721a051c805c46821463386f31a9f74c125

General

Target

Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
Size

266.6MB
MD5

e3960990152e104d016c4b8a05dc76ac
SHA1

8c5dfd0e9f37813d5168952432e914fe46fd0e4e
SHA256

f0440e7b72c0a54c815f09487afd1fe19f26a7c3616810402f6675af8ee08220
SHA512

e94ee98dd2102276d06ab074d2ca550dbb238895eaa9588df8aa97bfdecc85d0db36daa4ea7bce8edd68afe69852fc119a294043aedd496e4fab0732bdfc74b3
SSDEEP

98304:6NPgYs1HlKS+bjACZY3NoWHu7PcaHfVxv11m3ISv:6qYs1IMCyaHfVxN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe

Executes dropped EXE 1 IoCs

pid	Process
388	RtkDevChargerpSoundStationwtDriving.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
388	RtkDevChargerpSoundStationwtDriving.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 388	3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe	103
PID 3596 wrote to memory of 388	3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe	103
PID 3596 wrote to memory of 388	3596	Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe	103

C:\Users\Admin\AppData\Local\Temp\Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe
"C:\Users\Admin\AppData\Local\Temp\Archivo_DocumentoOIAXXNLJAIVYRNQtucyy.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596
- C:\ProgramData\RtkDevChargerviGaming\RtkDevChargerpSoundStationwtDriving.exe
  "C:\ProgramData\RtkDevChargerviGaming\RtkDevChargerpSoundStationwtDriving.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RtkDevChargerviGaming\EgxQriPunetrecFbhaqFgngvbajgQevivat.cfg

Filesize
274B

MD5
b2ce432a30aafd67a9ecd2eb58ba6523

SHA1
a72fe46970bb1d3f4980ee396625e9da09be2b44

SHA256
d998eb1ec500da8879f4145fa4ed24df7f4069e554f583ad288629692a13bfd0

SHA512
aa5bbabc37ef67b6dc5100bf60bc3fc151fed9a94db5fab4afe7c9a7f066ac295b63756b92aa419913f878f658df2fbc789301ee637e6c912111c0d71abe0620

Download Submit
C:\ProgramData\RtkDevChargerviGaming\EgxQriPunetrecFbhaqFgngvbajgQevivat.cfg

Filesize
368B

MD5
e5126091e6bbd9ae4cb914d3a52d0fbd

SHA1
eeacbf935bd662fdb89f0bcd19ad09a48128bb57

SHA256
039dc89e84c456d969897724dc5e5aa6869ffdd2291ddc6821e17b3d8175a95d

SHA512
6ead3dcae9bca528cd2a239b84a51e95e2a3550004c0ad58345e9838c728fc10cc0ead6fec9ef937a8b0b1b7b5a2c03b0005f939bd4b9ec390018d281765c86e

Download Submit
C:\ProgramData\RtkDevChargerviGaming\RtkDevChargerpSoundStationwtDriving.exe

Filesize
215.2MB

MD5
bfff4c31e2a5b9a74c977579d47b58d6

SHA1
c6ad3bd591d7e0893b742f613b15d427cf6da6ef

SHA256
fd4876b068129688ee64f93fa8c84c6e64d4194f38f0472ae65603c3708d228e

SHA512
afef9f706b5e02486fd219f68d1aa05f9c1f854457d2955ab6489210fa58603dc8be67a0ac42d12bd8ad60dc685b556c896b3652a1edf31e2e640d00efdd5d6f

Download Submit
C:\ProgramData\RtkDevChargerviGaming\RtkDevChargerpSoundStationwtDriving.exe

Filesize
135.0MB

MD5
8b0947edb065720c2aa1f76dcc6ee587

SHA1
ff51ed1c37c04cbe9f924ecb310d159dc4bf5f68

SHA256
06d0da3fde0fa39a07d30db0f9d8f504c63b62bdd3ccc405a4baf0e0cc1026d8

SHA512
b3d22b3fc6b8a358a78a6ef5a53d5da2ba163ac6cda038f202e00b4f78211a379e04a8fd1ada7b50dccf5144b89a51343191e9eaa52f9a04640e8a7f932f806f

Download Submit
C:\ProgramData\RtkDevChargerviGaming\RtkDevChargerpSoundStationwtDriving.exe

Filesize
94.8MB

MD5
25d9e5ccf64ad7f3ab18176b371ec208

SHA1
b726f2cc972464c42bfd6f6c8659f2f5b2fada7f

SHA256
a834a7b33ca7538502f14a1179096d5991d14e23eaf068e030f0ea7e89ce4974

SHA512
1cde255c6e3bd4b3ec4884d708c57258c1a24c1d6b9a520189d7ac18d3ab5cab8e9b357f214584a56d21e9ccccd883ee5e19f9b74478e403a28d07e614b16cc0

Download Submit
memory/388-170-0x0000000022220000-0x0000000022221000-memory.dmp

Filesize
4KB

Download
memory/388-164-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/388-179-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-146-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-159-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-143-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-142-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-163-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-133-0x00000000111A0000-0x00000000111A1000-memory.dmp

Filesize
4KB

Download
memory/3596-141-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-134-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3596-199-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing