Analysis
-
max time kernel
6s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
15-07-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
virussign.exe
Resource
win7-20220414-en
General
-
Target
virussign.exe
-
Size
597KB
-
MD5
e60ddc34bde1a87061dd29b5b4479890
-
SHA1
ac7e92f99be934dcb0ebe4f611ecc8b7984eed8d
-
SHA256
f84cd8ad47e1d607b9965b2505adf658a9ec61142cc51ef37cd703b1ad0eadab
-
SHA512
a1f64c5246b49b5c0c8ec47fa14de9962f85640ab29f0f1de6f19799b01f15e0b0699b11d0837e89833a10760897fbe8b44ea2d03bfaebd03f95fcde226a36a3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" virussign.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" virussign.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" virussign.exe -
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" virussign.exe -
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" virussign.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" virussign.exe -
Disables Task Manager via registry modification
-
Processes:
resource yara_rule behavioral1/memory/1284-56-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral1/memory/1284-57-0x0000000002200000-0x000000000328E000-memory.dmp upx -
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" virussign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" virussign.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" virussign.exe -
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" virussign.exe -
Drops file in Windows directory 1 IoCs
Processes:
virussign.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI virussign.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
virussign.exepid process 1284 virussign.exe 1284 virussign.exe 1284 virussign.exe 1284 virussign.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
virussign.exedescription pid process Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe Token: SeDebugPrivilege 1284 virussign.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
virussign.exedescription pid process target process PID 1284 wrote to memory of 1128 1284 virussign.exe taskhost.exe PID 1284 wrote to memory of 1192 1284 virussign.exe Dwm.exe PID 1284 wrote to memory of 1272 1284 virussign.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
virussign.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" virussign.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\virussign.exe"C:\Users\Admin\AppData\Local\Temp\virussign.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1284-54-0x00000000008B0000-0x000000000094A000-memory.dmpFilesize
616KB
-
memory/1284-55-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1284-56-0x0000000002200000-0x000000000328E000-memory.dmpFilesize
16.6MB
-
memory/1284-57-0x0000000002200000-0x000000000328E000-memory.dmpFilesize
16.6MB
-
memory/1284-58-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/1284-59-0x00000000008B0000-0x000000000094A000-memory.dmpFilesize
616KB