Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2023, 06:11

General

  • Target

    OCBC BANK PAYMENT ADVICE.pdf.exe

  • Size

    963KB

  • MD5

    4f032a36a0975feab31c922d4f69d541

  • SHA1

    691f40e5aa67ec4575789baf5d492e37ae648455

  • SHA256

    a198a5cd953ee0d2fc3f0d44dda511551166effb99c5eeaadeecfde03cd23978

  • SHA512

    b2524988097d28cf3ce7ebc924b6e29ce860c8881533dc34a18745f55e871d9ffafc1d7f5c1c2d61ff26026a9512bf3c8263c31278a55a7ced49e0b0f99a4530

  • SSDEEP

    24576:vY2pKUEWRuZBKdkEWDOB5TNGrscw4EbSUu:QqKWRcknWOD0Pw4Epu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OCBC BANK PAYMENT ADVICE.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\OCBC BANK PAYMENT ADVICE.pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe
      "C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe" C:\Users\Admin\AppData\Local\Temp\hdpnzztaop.o
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe
        "C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hdpnzztaop.o

    Filesize

    6KB

    MD5

    8ed053f45f64d9caebdbc9a5d3c6b167

    SHA1

    10b9f6df1f1b714e5676671affe79b70f81e3dd5

    SHA256

    75a3ae93d2994986e18fdd2dd1cb8753e7c278fc5a44f38ef809249f354be724

    SHA512

    ea773b8777001e875131d798d6e9089c55f14120b455f07b92d656395473f60b5f5526919fced06fe7eed4ef342ef3ce6c9fe956dffdafa142d2fec4de2aaa26

  • C:\Users\Admin\AppData\Local\Temp\ncbiytctnz.a

    Filesize

    923KB

    MD5

    f9e3d674fc4834412ef96db8f7b36746

    SHA1

    e8471c7da880c1c29822147429592772e3a73308

    SHA256

    12d64ec81f350b5af817c2a8e7beac767e31702f60f31377ee56c5fd78541f4b

    SHA512

    c975d2efaebc52f2fc13c437e3338f6648013c9073951c7525fdaa2ede3a0c141489f348372470cbe92f9e9c33c308c6272642ae2d9c694ee79c24dd19ff6b82

  • C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe

    Filesize

    85KB

    MD5

    dbb95a36e41d948850d9705de8c6fc33

    SHA1

    46988a3abc9002b9c83413b5a435cdc58e7bd359

    SHA256

    fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9

    SHA512

    d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122

  • C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe

    Filesize

    85KB

    MD5

    dbb95a36e41d948850d9705de8c6fc33

    SHA1

    46988a3abc9002b9c83413b5a435cdc58e7bd359

    SHA256

    fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9

    SHA512

    d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122

  • C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe

    Filesize

    85KB

    MD5

    dbb95a36e41d948850d9705de8c6fc33

    SHA1

    46988a3abc9002b9c83413b5a435cdc58e7bd359

    SHA256

    fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9

    SHA512

    d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122

  • \Users\Admin\AppData\Local\Temp\rvlfhwlc.exe

    Filesize

    85KB

    MD5

    dbb95a36e41d948850d9705de8c6fc33

    SHA1

    46988a3abc9002b9c83413b5a435cdc58e7bd359

    SHA256

    fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9

    SHA512

    d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122

  • \Users\Admin\AppData\Local\Temp\rvlfhwlc.exe

    Filesize

    85KB

    MD5

    dbb95a36e41d948850d9705de8c6fc33

    SHA1

    46988a3abc9002b9c83413b5a435cdc58e7bd359

    SHA256

    fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9

    SHA512

    d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122

  • memory/568-66-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/568-70-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/568-71-0x0000000004640000-0x0000000004714000-memory.dmp

    Filesize

    848KB

  • memory/568-72-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/568-73-0x0000000004600000-0x0000000004640000-memory.dmp

    Filesize

    256KB

  • memory/568-74-0x0000000004600000-0x0000000004640000-memory.dmp

    Filesize

    256KB

  • memory/568-75-0x0000000000400000-0x00000000004E6000-memory.dmp

    Filesize

    920KB

  • memory/1356-63-0x0000000000260000-0x0000000000262000-memory.dmp

    Filesize

    8KB