Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2023, 06:11
Static task
static1
Behavioral task
behavioral1
Sample
OCBC BANK PAYMENT ADVICE.pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
OCBC BANK PAYMENT ADVICE.pdf.exe
Resource
win10v2004-20230220-en
General
-
Target
OCBC BANK PAYMENT ADVICE.pdf.exe
-
Size
963KB
-
MD5
4f032a36a0975feab31c922d4f69d541
-
SHA1
691f40e5aa67ec4575789baf5d492e37ae648455
-
SHA256
a198a5cd953ee0d2fc3f0d44dda511551166effb99c5eeaadeecfde03cd23978
-
SHA512
b2524988097d28cf3ce7ebc924b6e29ce860c8881533dc34a18745f55e871d9ffafc1d7f5c1c2d61ff26026a9512bf3c8263c31278a55a7ced49e0b0f99a4530
-
SSDEEP
24576:vY2pKUEWRuZBKdkEWDOB5TNGrscw4EbSUu:QqKWRcknWOD0Pw4Epu
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3648 rvlfhwlc.exe 856 rvlfhwlc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3648 set thread context of 856 3648 rvlfhwlc.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 856 rvlfhwlc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3648 rvlfhwlc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 856 rvlfhwlc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1180 wrote to memory of 3648 1180 OCBC BANK PAYMENT ADVICE.pdf.exe 85 PID 1180 wrote to memory of 3648 1180 OCBC BANK PAYMENT ADVICE.pdf.exe 85 PID 1180 wrote to memory of 3648 1180 OCBC BANK PAYMENT ADVICE.pdf.exe 85 PID 3648 wrote to memory of 856 3648 rvlfhwlc.exe 86 PID 3648 wrote to memory of 856 3648 rvlfhwlc.exe 86 PID 3648 wrote to memory of 856 3648 rvlfhwlc.exe 86 PID 3648 wrote to memory of 856 3648 rvlfhwlc.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\OCBC BANK PAYMENT ADVICE.pdf.exe"C:\Users\Admin\AppData\Local\Temp\OCBC BANK PAYMENT ADVICE.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe"C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe" C:\Users\Admin\AppData\Local\Temp\hdpnzztaop.o2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe"C:\Users\Admin\AppData\Local\Temp\rvlfhwlc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD58ed053f45f64d9caebdbc9a5d3c6b167
SHA110b9f6df1f1b714e5676671affe79b70f81e3dd5
SHA25675a3ae93d2994986e18fdd2dd1cb8753e7c278fc5a44f38ef809249f354be724
SHA512ea773b8777001e875131d798d6e9089c55f14120b455f07b92d656395473f60b5f5526919fced06fe7eed4ef342ef3ce6c9fe956dffdafa142d2fec4de2aaa26
-
Filesize
923KB
MD5f9e3d674fc4834412ef96db8f7b36746
SHA1e8471c7da880c1c29822147429592772e3a73308
SHA25612d64ec81f350b5af817c2a8e7beac767e31702f60f31377ee56c5fd78541f4b
SHA512c975d2efaebc52f2fc13c437e3338f6648013c9073951c7525fdaa2ede3a0c141489f348372470cbe92f9e9c33c308c6272642ae2d9c694ee79c24dd19ff6b82
-
Filesize
85KB
MD5dbb95a36e41d948850d9705de8c6fc33
SHA146988a3abc9002b9c83413b5a435cdc58e7bd359
SHA256fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9
SHA512d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122
-
Filesize
85KB
MD5dbb95a36e41d948850d9705de8c6fc33
SHA146988a3abc9002b9c83413b5a435cdc58e7bd359
SHA256fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9
SHA512d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122
-
Filesize
85KB
MD5dbb95a36e41d948850d9705de8c6fc33
SHA146988a3abc9002b9c83413b5a435cdc58e7bd359
SHA256fe12a951ab7f45500a8bee4ac459915067c91515a01f8ff534425b0f255e29b9
SHA512d4829bc655ec144d2035210e8c897084b0447b927d6d0ac88cb5da4f617b2abdb2909c17388e63d4081895f98862ae12619aa697fcccb4ead69dd6196a808122