Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18/04/2023, 06:11
Static task
static1
Behavioral task
behavioral1
Sample
OCBC BANK PAYMENT ADVICE.pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
OCBC BANK PAYMENT ADVICE.pdf.exe
Resource
win10v2004-20230220-en
General
-
Target
OCBC BANK PAYMENT ADVICE.pdf.exe
-
Size
963KB
-
MD5
4f032a36a0975feab31c922d4f69d541
-
SHA1
691f40e5aa67ec4575789baf5d492e37ae648455
-
SHA256
a198a5cd953ee0d2fc3f0d44dda511551166effb99c5eeaadeecfde03cd23978
-
SHA512
b2524988097d28cf3ce7ebc924b6e29ce860c8881533dc34a18745f55e871d9ffafc1d7f5c1c2d61ff26026a9512bf3c8263c31278a55a7ced49e0b0f99a4530
-
SSDEEP
24576:vY2pKUEWRuZBKdkEWDOB5TNGrscw4EbSUu:QqKWRcknWOD0Pw4Epu
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1356 rvlfhwlc.exe 568 rvlfhwlc.exe -
Loads dropped DLL 2 IoCs
pid Process 1612 OCBC BANK PAYMENT ADVICE.pdf.exe 1356 rvlfhwlc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1356 set thread context of 568 1356 rvlfhwlc.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 568 rvlfhwlc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1356 rvlfhwlc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 568 rvlfhwlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1356 1612 OCBC BANK PAYMENT ADVICE.pdf.exe 27 PID 1612 wrote to memory of 1356 1612 OCBC BANK PAYMENT ADVICE.pdf.exe 27 PID 1612 wrote to memory of 1356 1612 OCBC BANK PAYMENT ADVICE.pdf.exe 27 PID 1612 wrote to memory of 1356 1612 OCBC BANK PAYMENT ADVICE.pdf.exe 27 PID 1356 wrote to memory of 568 1356 rvlfhwlc.exe 28 PID 1356 wrote to memory of 568 1356 rvlfhwlc.exe 28 PID 1356 wrote to memory of 568 1356 rvlfhwlc.exe 28 PID 1356 wrote to memory of 568 1356 rvlfhwlc.exe 28 PID 1356 wrote to memory of 568 1356 rvlfhwlc.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\OCBC BANK PAYMENT ADVICE.pdf.exe"C:\Users\Admin\AppData\Local\Temp\OCBC BANK PAYMENT ADVICE.pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe"C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe" C:\Users\Admin\AppData\Local\Temp\hdpnzztaop.o2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe"C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD58ed053f45f64d9caebdbc9a5d3c6b167
SHA110b9f6df1f1b714e5676671affe79b70f81e3dd5
SHA25675a3ae93d2994986e18fdd2dd1cb8753e7c278fc5a44f38ef809249f354be724
SHA512ea773b8777001e875131d798d6e9089c55f14120b455f07b92d656395473f60b5f5526919fced06fe7eed4ef342ef3ce6c9fe956dffdafa142d2fec4de2aaa26
-
Filesize
923KB
MD5f9e3d674fc4834412ef96db8f7b36746
SHA1e8471c7da880c1c29822147429592772e3a73308
SHA25612d64ec81f350b5af817c2a8e7beac767e31702f60f31377ee56c5fd78541f4b
SHA512c975d2efaebc52f2fc13c437e3338f6648013c9073951c7525fdaa2ede3a0c141489f348372470cbe92f9e9c33c308c6272642ae2d9c694ee79c24dd19ff6b82
-
Filesize
85KB
MD5dbb95a36e41d948850d9705de8c6fc33
SHA146988a3abc9002b9c83413b5a435cdc58e7bd359
SHA256fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9
SHA512d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122
-
Filesize
85KB
MD5dbb95a36e41d948850d9705de8c6fc33
SHA146988a3abc9002b9c83413b5a435cdc58e7bd359
SHA256fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9
SHA512d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122
-
Filesize
85KB
MD5dbb95a36e41d948850d9705de8c6fc33
SHA146988a3abc9002b9c83413b5a435cdc58e7bd359
SHA256fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9
SHA512d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122
-
Filesize
85KB
MD5dbb95a36e41d948850d9705de8c6fc33
SHA146988a3abc9002b9c83413b5a435cdc58e7bd359
SHA256fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9
SHA512d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122
-
Filesize
85KB
MD5dbb95a36e41d948850d9705de8c6fc33
SHA146988a3abc9002b9c83413b5a435cdc58e7bd359
SHA256fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9
SHA512d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122