Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 11:45
Static task
static1
Behavioral task
behavioral1
Sample
virussign.com_127b09e4113d207b9e5edfac515028e0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
virussign.com_127b09e4113d207b9e5edfac515028e0.exe
Resource
win10v2004-20240508-en
General
-
Target
virussign.com_127b09e4113d207b9e5edfac515028e0.exe
-
Size
12KB
-
MD5
127b09e4113d207b9e5edfac515028e0
-
SHA1
370f3b990b119ea9f114485015953eee2c70e53d
-
SHA256
3cb5ea28d34556fc91bf400ca39dde6a8266fb8bcf937ef0b05c991c94135d5a
-
SHA512
916bccff48dc8ad426a2fefb9fc9ec91a275881ad35b984dfa3024582d5edad08d1fd2d35222bc34a33655fe5c93fa0b71d6f2b2962cd6966c9e26f4fe4d914b
-
SSDEEP
384:VL7li/2zjq2DcEQvdhcJKLTp/NK9xa3w:1HM/Q9c3w
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation virussign.com_127b09e4113d207b9e5edfac515028e0.exe -
Deletes itself 1 IoCs
pid Process 1384 tmp5C88.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1384 tmp5C88.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4344 virussign.com_127b09e4113d207b9e5edfac515028e0.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4344 wrote to memory of 2120 4344 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 86 PID 4344 wrote to memory of 2120 4344 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 86 PID 4344 wrote to memory of 2120 4344 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 86 PID 2120 wrote to memory of 1508 2120 vbc.exe 90 PID 2120 wrote to memory of 1508 2120 vbc.exe 90 PID 2120 wrote to memory of 1508 2120 vbc.exe 90 PID 4344 wrote to memory of 1384 4344 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 91 PID 4344 wrote to memory of 1384 4344 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 91 PID 4344 wrote to memory of 1384 4344 virussign.com_127b09e4113d207b9e5edfac515028e0.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0imvpfsb\0imvpfsb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8133B6F4EA25481089347C5AA4258270.TMP"3⤵PID:1508
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5C88.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5C88.tmp.exe" C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1384
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e36b72f006c76e07cd11cbf270cafb10
SHA1950f24ed06452e61a9fb7ec002fa87a64ac74996
SHA2562556ea2b963c1b2a9026a2150495ee714e37ba25cb61fe07241cc60b67ef4eb2
SHA51271007337aca7e6f6b86195bdd1d4c3892ad30f810e9f13605bc01024313ab6b92882016102029c76e55e514d89c9cdd49c75b5a8fd00cf19836ccdb2abf662d9
-
Filesize
273B
MD5f740276a813c0fb7f0926070a2efbb54
SHA15bab4bc02360757e9bd42133f2c939cd5bf328b1
SHA2568235764069a668de96f484c7ae981b9204936ec85fd9fbcb45b186049338fec2
SHA5124228b4f8260c7ea0b22dee6310b6310b47149ef4cb2884b913b70f8eb116610cd12cf6c1c5eda56f65661614a20ee5f0f9d05539097d743ae1012061f8a1f696
-
Filesize
2KB
MD50d61a36bb7cfd33c7f46d97685d64608
SHA1d46513ac829b7c54bdae060fd372cbd8f6d0cdd9
SHA2566787a8a3c2fc4d58f54464c1788b250db6ada3e2859ecd8fcfd021dd17170789
SHA512d8dc4073cbccfaa2d31003670ff7055331fc47783a30239690c3e5061008fcf1bb4c810629a66926dc960c52ea03e624a2ff90898d89f500c7a2ef6252dd6d61
-
Filesize
1KB
MD5ebccca1c6dc51d53a218b36db1181ef2
SHA1d16c6b50fc0bc8ff71fcbc40f412294a1abb7592
SHA2566fb8cfeb965edd9ce0a7dcfd98b6c7a4b0642bccdf7f444e208358cc8ebb5922
SHA512a90825a5125e21785721e03182d78db69883ac69096a92d17c3b65038b71cf8f9416e1cc043b79bfbf5463265fc8b36c8a1bd41638d2aae836b078f3969a92b1
-
Filesize
12KB
MD51cc99de8bf36ff21ff6c2c51f2d0167e
SHA1523ce28a4ff172657e9c624bf1c99570ae925934
SHA256e1c46ac52c7dab8c1a1280f53e386a4268b25a0b18e07511da26b937337710f2
SHA512e19c52e9b6fc0c988883008d9d8ceef3e06028c22aeab7d95ed96968367b4b5bb39ad8fed0fc6d8278f0ea2f95f67c25d3f869165d67a182c70a352643db4df0
-
Filesize
1KB
MD5116add55a680019d9b7aa6ca4949afe4
SHA1006a4b79ed1502e881a80307d4bb3110f87de775
SHA256630e7084d3b9b6bfa865eb9b1dd2165946641a0abc72fec83ed349da981aecf9
SHA51273df4cf794e9e843bbd6cdd00770a8ef531ec14c3853df046d341dc86149683e5464ef9b0d97a91c1c51dc54a67012c3e97d2b7879a3a2c586d0b42a6637198c