a198a5cd953ee0d2fc3f0d44dda511551166effb99c5eeaadeecfde03cd23978

Analysis

max time kernel
59s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2023, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OCBC BANK PAYMENT ADVICE.pdf.exe
Size

963KB
MD5

4f032a36a0975feab31c922d4f69d541
SHA1

691f40e5aa67ec4575789baf5d492e37ae648455
SHA256

a198a5cd953ee0d2fc3f0d44dda511551166effb99c5eeaadeecfde03cd23978
SHA512

b2524988097d28cf3ce7ebc924b6e29ce860c8881533dc34a18745f55e871d9ffafc1d7f5c1c2d61ff26026a9512bf3c8263c31278a55a7ced49e0b0f99a4530
SSDEEP

24576:vY2pKUEWRuZBKdkEWDOB5TNGrscw4EbSUu:QqKWRcknWOD0Pw4Epu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3648	rvlfhwlc.exe
856	rvlfhwlc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3648 set thread context of 856	3648	rvlfhwlc.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
856	rvlfhwlc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3648	rvlfhwlc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	rvlfhwlc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3648	1180	OCBC BANK PAYMENT ADVICE.pdf.exe	85
PID 1180 wrote to memory of 3648	1180	OCBC BANK PAYMENT ADVICE.pdf.exe	85
PID 1180 wrote to memory of 3648	1180	OCBC BANK PAYMENT ADVICE.pdf.exe	85
PID 3648 wrote to memory of 856	3648	rvlfhwlc.exe	86
PID 3648 wrote to memory of 856	3648	rvlfhwlc.exe	86
PID 3648 wrote to memory of 856	3648	rvlfhwlc.exe	86
PID 3648 wrote to memory of 856	3648	rvlfhwlc.exe	86

C:\Users\Admin\AppData\Local\Temp\OCBC BANK PAYMENT ADVICE.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\OCBC BANK PAYMENT ADVICE.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe
  "C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe" C:\Users\Admin\AppData\Local\Temp\hdpnzztaop.o
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe
    "C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hdpnzztaop.o

Filesize
6KB

MD5
8ed053f45f64d9caebdbc9a5d3c6b167

SHA1
10b9f6df1f1b714e5676671affe79b70f81e3dd5

SHA256
75a3ae93d2994986e18fdd2dd1cb8753e7c278fc5a44f38ef809249f354be724

SHA512
ea773b8777001e875131d798d6e9089c55f14120b455f07b92d656395473f60b5f5526919fced06fe7eed4ef342ef3ce6c9fe956dffdafa142d2fec4de2aaa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncbiytctnz.a

Filesize
923KB

MD5
f9e3d674fc4834412ef96db8f7b36746

SHA1
e8471c7da880c1c29822147429592772e3a73308

SHA256
12d64ec81f350b5af817c2a8e7beac767e31702f60f31377ee56c5fd78541f4b

SHA512
c975d2efaebc52f2fc13c437e3338f6648013c9073951c7525fdaa2ede3a0c141489f348372470cbe92f9e9c33c308c6272642ae2d9c694ee79c24dd19ff6b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe

Filesize
85KB

MD5
dbb95a36e41d948850d9705de8c6fc33

SHA1
46988a3abc9002b9c83413b5a435cdc58e7bd359

SHA256
fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9

SHA512
d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe

Filesize
85KB

MD5
dbb95a36e41d948850d9705de8c6fc33

SHA1
46988a3abc9002b9c83413b5a435cdc58e7bd359

SHA256
fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9

SHA512
d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe

Filesize
85KB

MD5
dbb95a36e41d948850d9705de8c6fc33

SHA1
46988a3abc9002b9c83413b5a435cdc58e7bd359

SHA256
fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9

SHA512
d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122

Download Submit
memory/856-146-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/856-143-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/856-144-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/856-141-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/856-147-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/856-148-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/856-150-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/856-149-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/856-151-0x0000000007230000-0x0000000007296000-memory.dmp

Filesize
408KB

Download
memory/856-152-0x0000000004550000-0x0000000004572000-memory.dmp

Filesize
136KB

Download
memory/856-154-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download