Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 17:32
Static task
static1
Behavioral task
behavioral1
Sample
virussign.com_27b6bd825a546f97eef0488370acc8a0.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
virussign.com_27b6bd825a546f97eef0488370acc8a0.exe
Resource
win10v2004-20240508-en
General
-
Target
virussign.com_27b6bd825a546f97eef0488370acc8a0.exe
-
Size
37KB
-
MD5
27b6bd825a546f97eef0488370acc8a0
-
SHA1
50262c75d6e81573795311da39f3784554cde50f
-
SHA256
0b6c36488bcb097d2b217fd15c7794c54a7991b6c9858e2dfa2bd06c3f3c41e7
-
SHA512
f6aa891e1c291be4407c9e775ed5222b6b3ca5dc54adbd4f40d4ed5b8aa09b359abdfdd9479b14d537d9d3fc7fe567616b650513a41222235ae286fafdf9e789
-
SSDEEP
384:oPDUQ/pgeY/PiZpIPHbABisNtA0lYDlIq9dXrm7AG3fmPIJq96NhKl1S:+l/BEPiAvbAbDYDlJdXqEG3eyDKk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation virussign.com_27b6bd825a546f97eef0488370acc8a0.exe -
Executes dropped EXE 1 IoCs
pid Process 2960 gffos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2960 1612 virussign.com_27b6bd825a546f97eef0488370acc8a0.exe 83 PID 1612 wrote to memory of 2960 1612 virussign.com_27b6bd825a546f97eef0488370acc8a0.exe 83 PID 1612 wrote to memory of 2960 1612 virussign.com_27b6bd825a546f97eef0488370acc8a0.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_27b6bd825a546f97eef0488370acc8a0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_27b6bd825a546f97eef0488370acc8a0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\gffos.exe"C:\Users\Admin\AppData\Local\Temp\gffos.exe"2⤵
- Executes dropped EXE
PID:2960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD556cd1c76e6db9e34e5352b0e6f4135b7
SHA1da5ab9ecee9e48311ee05b8cfbefa83bf7be574c
SHA256fda2c6cdab82ab5ad6703ce18842db15dced49b2e1c817d7278c15ba5f4cff5d
SHA51288bf86a1583bc478bb6c18f67a454046487b3f944def6818bb58c9c4e5524a69d68428249303f63dadf3539c2f02b177197f1403021b901b6197f05ecfd8ef41