Analysis
-
max time kernel
156s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2022 17:30
Static task
static1
Behavioral task
behavioral1
Sample
virussign.exe
Resource
win7-20220715-en
General
-
Target
virussign.exe
-
Size
116KB
-
MD5
d9a58a2184595b99be56fb3534888830
-
SHA1
07f1eab666bec957bab92f4f99def1ef10a43950
-
SHA256
e9d29e5a49be87aea8bd11f52e65d51c5614374cbbc5bd28a602157769d631b7
-
SHA512
77869f849bb2a45b01b7f41d3d76139b1cf0bb433cdf2ab8b427d236c66b8b237083127c01a46154ef96358740615676e8c72abdfcfe0a35986a7dcbc465009c
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" virussign.exe -
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" virussign.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" virussign.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral2/memory/2240-131-0x0000000002C50000-0x0000000003C83000-memory.dmp upx behavioral2/memory/2240-136-0x0000000002C50000-0x0000000003C83000-memory.dmp upx behavioral2/memory/2240-137-0x0000000002C50000-0x0000000003C83000-memory.dmp upx -
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" virussign.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc virussign.exe -
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" virussign.exe -
Drops file in Program Files directory 12 IoCs
Processes:
virussign.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe virussign.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe virussign.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe virussign.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe virussign.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe virussign.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe virussign.exe File created C:\Program Files\Symantec\LiveUpdate\LUALL.EXE virussign.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe virussign.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe virussign.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe virussign.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe virussign.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe virussign.exe -
Drops file in Windows directory 5 IoCs
Processes:
virussign.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI virussign.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.1_none_c1f5bc6ceffe0e16\WelcomeScan.jpg.exe virussign.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.1_none_c1f5bc6ceffe0e16\WelcomeScan.jpg.exe virussign.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg.exe virussign.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg.exe virussign.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 38 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000008e54c89b100041646d696e003c0009000400efbe8e543d92ef54ce9b2e00000081e10100000001000000000000000000000000000000f4ab2e00410064006d0069006e00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000008e543d9212004170704461746100400009000400efbe8e543d92ef54ce9b2e0000008ce10100000001000000000000000000000000000000c97e6b004100700070004400610074006100000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000ef54ce9b100054656d7000003a0009000400efbe8e543d92ef54ce9b2e000000a0e10100000001000000000000000000000000000000459d6b00540065006d007000000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000008e543d921100557365727300640009000400efbe874f7748ef54ce9b2e000000c70500000000010000000000000000003a0000000000f0b6a40055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 5e00310000000000ef54ce9b12005649525553537e310000460009000400efbeef54ce9bef54ce9b2e00000025310200000007000000000000000000000000000000459d6b00760069007200750073007300690067006e006c00000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000008e54809510004c6f63616c003c0009000400efbe8e543d92ef54ce9b2e0000009fe10100000001000000000000000000000000000000c606af004c006f00630061006c00000014000000 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 4608 explorer.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
virussign.exepid process 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe 2240 virussign.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4608 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
virussign.exedescription pid process Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe Token: SeDebugPrivilege 2240 virussign.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
virussign.exeexplorer.exepid process 2240 virussign.exe 4608 explorer.exe 4608 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
virussign.exedescription pid process target process PID 2240 wrote to memory of 2904 2240 virussign.exe netsh.exe PID 2240 wrote to memory of 2904 2240 virussign.exe netsh.exe PID 2240 wrote to memory of 2904 2240 virussign.exe netsh.exe PID 2240 wrote to memory of 2828 2240 virussign.exe explorer.exe PID 2240 wrote to memory of 2828 2240 virussign.exe explorer.exe PID 2240 wrote to memory of 2828 2240 virussign.exe explorer.exe PID 2240 wrote to memory of 756 2240 virussign.exe fontdrvhost.exe PID 2240 wrote to memory of 760 2240 virussign.exe fontdrvhost.exe PID 2240 wrote to memory of 1008 2240 virussign.exe dwm.exe PID 2240 wrote to memory of 2792 2240 virussign.exe sihost.exe PID 2240 wrote to memory of 2844 2240 virussign.exe svchost.exe PID 2240 wrote to memory of 2880 2240 virussign.exe taskhostw.exe PID 2240 wrote to memory of 2600 2240 virussign.exe Explorer.EXE PID 2240 wrote to memory of 2964 2240 virussign.exe svchost.exe PID 2240 wrote to memory of 3256 2240 virussign.exe DllHost.exe PID 2240 wrote to memory of 3352 2240 virussign.exe StartMenuExperienceHost.exe PID 2240 wrote to memory of 3428 2240 virussign.exe RuntimeBroker.exe PID 2240 wrote to memory of 3508 2240 virussign.exe SearchApp.exe PID 2240 wrote to memory of 3700 2240 virussign.exe RuntimeBroker.exe PID 2240 wrote to memory of 2904 2240 virussign.exe netsh.exe PID 2240 wrote to memory of 2904 2240 virussign.exe netsh.exe PID 2240 wrote to memory of 3112 2240 virussign.exe Conhost.exe PID 2240 wrote to memory of 2828 2240 virussign.exe explorer.exe PID 2240 wrote to memory of 2828 2240 virussign.exe explorer.exe PID 2240 wrote to memory of 756 2240 virussign.exe fontdrvhost.exe PID 2240 wrote to memory of 760 2240 virussign.exe fontdrvhost.exe PID 2240 wrote to memory of 1008 2240 virussign.exe dwm.exe PID 2240 wrote to memory of 2792 2240 virussign.exe sihost.exe PID 2240 wrote to memory of 2844 2240 virussign.exe svchost.exe PID 2240 wrote to memory of 2880 2240 virussign.exe taskhostw.exe PID 2240 wrote to memory of 2600 2240 virussign.exe Explorer.EXE PID 2240 wrote to memory of 2964 2240 virussign.exe svchost.exe PID 2240 wrote to memory of 3256 2240 virussign.exe DllHost.exe PID 2240 wrote to memory of 3352 2240 virussign.exe StartMenuExperienceHost.exe PID 2240 wrote to memory of 3428 2240 virussign.exe RuntimeBroker.exe PID 2240 wrote to memory of 3508 2240 virussign.exe SearchApp.exe PID 2240 wrote to memory of 3700 2240 virussign.exe RuntimeBroker.exe PID 2240 wrote to memory of 4608 2240 virussign.exe explorer.exe PID 2240 wrote to memory of 756 2240 virussign.exe fontdrvhost.exe PID 2240 wrote to memory of 760 2240 virussign.exe fontdrvhost.exe PID 2240 wrote to memory of 1008 2240 virussign.exe dwm.exe PID 2240 wrote to memory of 2792 2240 virussign.exe sihost.exe PID 2240 wrote to memory of 2844 2240 virussign.exe svchost.exe PID 2240 wrote to memory of 2880 2240 virussign.exe taskhostw.exe PID 2240 wrote to memory of 2600 2240 virussign.exe Explorer.EXE PID 2240 wrote to memory of 2964 2240 virussign.exe svchost.exe PID 2240 wrote to memory of 3256 2240 virussign.exe DllHost.exe PID 2240 wrote to memory of 3352 2240 virussign.exe StartMenuExperienceHost.exe PID 2240 wrote to memory of 3428 2240 virussign.exe RuntimeBroker.exe PID 2240 wrote to memory of 3508 2240 virussign.exe SearchApp.exe PID 2240 wrote to memory of 3700 2240 virussign.exe RuntimeBroker.exe PID 2240 wrote to memory of 4608 2240 virussign.exe explorer.exe PID 2240 wrote to memory of 756 2240 virussign.exe fontdrvhost.exe PID 2240 wrote to memory of 760 2240 virussign.exe fontdrvhost.exe PID 2240 wrote to memory of 1008 2240 virussign.exe dwm.exe PID 2240 wrote to memory of 2792 2240 virussign.exe sihost.exe PID 2240 wrote to memory of 2844 2240 virussign.exe svchost.exe PID 2240 wrote to memory of 2880 2240 virussign.exe taskhostw.exe PID 2240 wrote to memory of 2600 2240 virussign.exe Explorer.EXE PID 2240 wrote to memory of 2964 2240 virussign.exe svchost.exe PID 2240 wrote to memory of 3256 2240 virussign.exe DllHost.exe PID 2240 wrote to memory of 3352 2240 virussign.exe StartMenuExperienceHost.exe PID 2240 wrote to memory of 3428 2240 virussign.exe RuntimeBroker.exe PID 2240 wrote to memory of 3508 2240 virussign.exe SearchApp.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" virussign.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\virussign.exe"C:\Users\Admin\AppData\Local\Temp\virussign.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer virussignl3⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/448-138-0x0000000000000000-mapping.dmp
-
memory/448-139-0x0000000000570000-0x0000000000587000-memory.dmpFilesize
92KB
-
memory/2240-130-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2240-131-0x0000000002C50000-0x0000000003C83000-memory.dmpFilesize
16.2MB
-
memory/2240-136-0x0000000002C50000-0x0000000003C83000-memory.dmpFilesize
16.2MB
-
memory/2240-137-0x0000000002C50000-0x0000000003C83000-memory.dmpFilesize
16.2MB
-
memory/2240-140-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2828-135-0x0000000000000000-mapping.dmp
-
memory/2904-134-0x0000000000000000-mapping.dmp