Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 11:45
Static task
static1
Behavioral task
behavioral1
Sample
virussign.com_127b09e4113d207b9e5edfac515028e0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
virussign.com_127b09e4113d207b9e5edfac515028e0.exe
Resource
win10v2004-20240508-en
General
-
Target
virussign.com_127b09e4113d207b9e5edfac515028e0.exe
-
Size
12KB
-
MD5
127b09e4113d207b9e5edfac515028e0
-
SHA1
370f3b990b119ea9f114485015953eee2c70e53d
-
SHA256
3cb5ea28d34556fc91bf400ca39dde6a8266fb8bcf937ef0b05c991c94135d5a
-
SHA512
916bccff48dc8ad426a2fefb9fc9ec91a275881ad35b984dfa3024582d5edad08d1fd2d35222bc34a33655fe5c93fa0b71d6f2b2962cd6966c9e26f4fe4d914b
-
SSDEEP
384:VL7li/2zjq2DcEQvdhcJKLTp/NK9xa3w:1HM/Q9c3w
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2524 tmp7E84.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2524 tmp7E84.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2064 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 28 PID 2020 wrote to memory of 2064 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 28 PID 2020 wrote to memory of 2064 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 28 PID 2020 wrote to memory of 2064 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 28 PID 2064 wrote to memory of 2860 2064 vbc.exe 30 PID 2064 wrote to memory of 2860 2064 vbc.exe 30 PID 2064 wrote to memory of 2860 2064 vbc.exe 30 PID 2064 wrote to memory of 2860 2064 vbc.exe 30 PID 2020 wrote to memory of 2524 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 31 PID 2020 wrote to memory of 2524 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 31 PID 2020 wrote to memory of 2524 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 31 PID 2020 wrote to memory of 2524 2020 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kygpemsn\kygpemsn.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8343.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc366E6519CC804131BAB045DCAF80FC6F.TMP"3⤵PID:2860
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7E84.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7E84.tmp.exe" C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59b8443147e8d95a0a121a01da595b279
SHA1b403e94aa353063b69a27f5b8b0ef830ea5c1a7a
SHA25649ea19de0bb3fef9b3266c5bc285f7256bed503b26b9aa426165a93bce43fe42
SHA5124f9f5189f1e491621f5ae45aa693d429e833254f622d9ef9ba85b8c0bfabffc49294b09b77bd24ddbd09634c687e3dc69cd35886d9adde4d4d899849887f8bd9
-
Filesize
1KB
MD5f756b742dde1b0e0c5c60ced40a071f7
SHA142d76b4a6d2bd0fcdd3c2c68568bef24c9a80191
SHA256cdc577d1b4f3b9868f1a6b5ded0cbffdd6e31e1b44430879d4ec1b5a90472f58
SHA51277bbd9fdb42d42743c2ba947963f68d0cbb79cd8a8160cea3a3357328b0245833a771e3c3d6a13c93db089a78279cf9430a043bca4ee1a2939e58b1ca74ed15f
-
Filesize
2KB
MD50ef9421226eca9b3e480854fc6db0bc2
SHA1ff2fd160a610897c24fea1a6f66a95cf98ee4364
SHA25651dee201ac3a8fd7d32897d8c329c85901e8a73fd8affff1ac39a969079ece9e
SHA512c2407d560f7f447c19952aa456341f9606b7396bcd5ad003517c4d6d3f92675b681c574557b27be6d5f29b3f6f33262551f32044d5605f1b63152bdf74d9278e
-
Filesize
273B
MD5d7437a48fd01630ae5a41d8efa061373
SHA12120aa3a5d1a67e32952f81b3868e20d9d1faaa3
SHA2566ed5f506921539fb88aa8a6604b93162f8ec12fea6a4cec92e2dab79d0c5cafe
SHA5122f1eaad7cf397618b78827adb28c971639651d37a8559d493959674ba684436b4e28a8c911120bc2c6b0ea83e97e0f37f378ed209512798cf5a1dbfa62d56357
-
Filesize
12KB
MD5726d491b986c089f2135650af3250d4a
SHA1f0052d3557b75fc5b381dd233e1262d2f41fce80
SHA256f4e7c41be58374db96ec98652dc30862c2bb7ed33249916c3821779225316166
SHA51238292c0fbd844d54ff1c53bd029374f03934584312ecb3b7d9ee38ae83544cd52132faf7d5e4a0fe5259cfb8257f100afa6d8d7b90049b54f12ed3efca609053
-
Filesize
1KB
MD5cd99577372ee053065843fbb758b53e1
SHA1247d750c3fe01c0d53f73806ef37e2dcf687a49b
SHA2563e9be4b26add59c0f1fe788517751f3aa2f1a0f497fd2a6e932b20e6bc2bfeae
SHA5123d5b2bef0884959a03eca034a8d07fd92feeca66e2b9f612dcbe32bd5c8eddf45fc4f13ada80565934606c230b569d2c97104e488b13407f896783902c41eabe