Analysis
-
max time kernel
147s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2022 14:29
Behavioral task
behavioral1
Sample
virussign.exe
Resource
win7-20220414-en
windows7-x64
7 signatures
150 seconds
General
-
Target
virussign.exe
-
Size
2.4MB
-
MD5
10d19f611c27e35e9d2333f992e7b140
-
SHA1
520a9aad58df9da7889012d36537f3acb35ac1cc
-
SHA256
18507cd6bf6a5c16c6d779ff0b04c6308bb5e6d0f28114bfd4d7b387345aab1d
-
SHA512
c7f52a92540048ceb31d4fa96fc7e679c610eb9ad51a6835c71135c54f660ac543df68739cac53950a7724ae76138f50e3e261c4ad81447c6ed5ec31f79ae047
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3828-130-0x00000000003A0000-0x0000000000B49000-memory.dmp upx behavioral2/memory/3828-131-0x00000000003A0000-0x0000000000B49000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
virussign.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com virussign.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48" virussign.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com virussign.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1" virussign.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com virussign.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage virussign.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total virussign.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "48" virussign.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com\ = "48" virussign.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION virussign.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\virussign.exe = "11001" virussign.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
virussign.exepid process 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe 3828 virussign.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
virussign.exedescription pid process Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe Token: SeIncreaseQuotaPrivilege 3828 virussign.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
virussign.exepid process 3828 virussign.exe 3828 virussign.exe