Overview
overview
10Static
static
10Virussign....41.exe
windows7-x64
Virussign....41.exe
windows10-2004-x64
Virussign....83.exe
windows7-x64
1Virussign....83.exe
windows10-2004-x64
1Virussign....0a.exe
windows7-x64
Virussign....0a.exe
windows10-2004-x64
Virussign....b9.exe
windows7-x64
Virussign....b9.exe
windows10-2004-x64
Virussign....35.exe
windows7-x64
Virussign....35.exe
windows10-2004-x64
Virussign....7d.exe
windows7-x64
Virussign....7d.exe
windows10-2004-x64
Virussign....f1.exe
windows7-x64
7Virussign....f1.exe
windows10-2004-x64
7Virussign....ad.exe
windows7-x64
1Virussign....ad.exe
windows10-2004-x64
1Virussign....9c.exe
windows7-x64
1Virussign....9c.exe
windows10-2004-x64
1Virussign....55.exe
windows7-x64
8Virussign....55.exe
windows10-2004-x64
8Virussign....c5.exe
windows7-x64
3Virussign....c5.exe
windows10-2004-x64
3$PLUGINSDI...de.dll
windows7-x64
3$PLUGINSDI...de.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$SYSDIR/GPhotos.scr
windows7-x64
1$SYSDIR/GPhotos.scr
windows10-2004-x64
1$TEMP/Pica...sg.dll
windows7-x64
1$TEMP/Pica...sg.dll
windows10-2004-x64
1Analysis
-
max time kernel
135s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:42
Behavioral task
behavioral1
Sample
Virussign.2024.06.08/virussign.com_001d2d017b5a7716053d3f1486270f41.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Virussign.2024.06.08/virussign.com_001d2d017b5a7716053d3f1486270f41.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Virussign.2024.06.08/virussign.com_00d73b2201d137dafcd073e6f90ed283.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Virussign.2024.06.08/virussign.com_00d73b2201d137dafcd073e6f90ed283.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Virussign.2024.06.08/virussign.com_012d6250b2f03cc71381041c4eeeb50a.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Virussign.2024.06.08/virussign.com_012d6250b2f03cc71381041c4eeeb50a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Virussign.2024.06.08/virussign.com_0253492c47e1aae5c1906a4b099e13b9.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Virussign.2024.06.08/virussign.com_0253492c47e1aae5c1906a4b099e13b9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Virussign.2024.06.08/virussign.com_025c0616d26ebf93aa583d575245bf35.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Virussign.2024.06.08/virussign.com_025c0616d26ebf93aa583d575245bf35.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Virussign.2024.06.08/virussign.com_02c31485fa69ef9d1a370034d043587d.exe
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
Virussign.2024.06.08/virussign.com_02c31485fa69ef9d1a370034d043587d.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Virussign.2024.06.08/virussign.com_03bf9f5a5e7769cd9cddf935454e30f1.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
Virussign.2024.06.08/virussign.com_03bf9f5a5e7769cd9cddf935454e30f1.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Virussign.2024.06.08/virussign.com_03d6ebf12ae52644ac8fbc893526aaad.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
Virussign.2024.06.08/virussign.com_03d6ebf12ae52644ac8fbc893526aaad.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Virussign.2024.06.08/virussign.com_0437640434489c178ddce32f6bc8bd9c.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Virussign.2024.06.08/virussign.com_0437640434489c178ddce32f6bc8bd9c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
Virussign.2024.06.08/virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Virussign.2024.06.08/virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
Virussign.2024.06.08/virussign.com_0622fa4ddac7802def045e83a4ccb8c5.exe
Resource
win7-20240611-en
Behavioral task
behavioral22
Sample
Virussign.2024.06.08/virussign.com_0622fa4ddac7802def045e83a4ccb8c5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/NSIS_Picasa_Unicode.dll
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/NSIS_Picasa_Unicode.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240611-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
$SYSDIR/GPhotos.scr
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
$SYSDIR/GPhotos.scr
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
$TEMP/PicasaInstaller/spmsg.dll
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
$TEMP/PicasaInstaller/spmsg.dll
Resource
win10v2004-20240611-en
General
-
Target
Virussign.2024.06.08/virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe
-
Size
5.2MB
-
MD5
044454717ce16bdfddd7dfedfc4fa455
-
SHA1
2beb7f9914dfa214bbd2d6e69af0c154c13994a6
-
SHA256
55c3507d0db1a9dde5ee48796d7e0bdc7f3681f62aa8efff98e97b7ff9c1afdd
-
SHA512
8d55da3d0d1f85f674bdd9eeb4c05af4a45cfa25b83d513582bd7eb7cde0125109cde73e5b96c486d9ab09c845c45da07ef1b2158fd8dd1409da8e6d62174f5a
-
SSDEEP
49152:exxCp6fPKUYwWBNRaujWa6K2wxIO5B3CJr/FkjpdCnD5il0xbNbDevV05JDVEGmM:StfymWlMM3CtIIn40xbNbDIGJxUQ7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
virussign.com_044454717ce16bdfddd7dfedfc4fa455.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe -
Executes dropped EXE 1 IoCs
Processes:
5c53b93874f242c2ae6816a5d87a59bb.exepid process 2016 5c53b93874f242c2ae6816a5d87a59bb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
virussign.com_044454717ce16bdfddd7dfedfc4fa455.exedescription ioc process File created C:\Windows\assembly\Desktop.ini virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe File opened for modification C:\Windows\assembly\Desktop.ini virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe -
Drops file in Windows directory 3 IoCs
Processes:
virussign.com_044454717ce16bdfddd7dfedfc4fa455.exedescription ioc process File created C:\Windows\assembly\Desktop.ini virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe File opened for modification C:\Windows\assembly\Desktop.ini virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe File opened for modification C:\Windows\assembly virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
virussign.com_044454717ce16bdfddd7dfedfc4fa455.exedescription pid process target process PID 4204 wrote to memory of 2016 4204 virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe 5c53b93874f242c2ae6816a5d87a59bb.exe PID 4204 wrote to memory of 2016 4204 virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe 5c53b93874f242c2ae6816a5d87a59bb.exe PID 4204 wrote to memory of 2016 4204 virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe 5c53b93874f242c2ae6816a5d87a59bb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Virussign.2024.06.08\virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe"C:\Users\Admin\AppData\Local\Temp\Virussign.2024.06.08\virussign.com_044454717ce16bdfddd7dfedfc4fa455.exe"1⤵
- Drops file in Drivers directory
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\5c53b93874f242c2ae6816a5d87a59bb.exe"C:\Users\Admin\AppData\Local\Temp\5c53b93874f242c2ae6816a5d87a59bb.exe" --012⤵
- Executes dropped EXE
PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5c53b93874f242c2ae6816a5d87a59bb.exeFilesize
4.8MB
MD5c18d8858bdedc5492f9b64d5f049e5d3
SHA1c175dcaaac45554522527ead75845cba50b53622
SHA256962f67ff9d9609ca911c66f8d86e7717bbb91580b524fbe68b65f7631ad1a283
SHA512ea5bc49c6dd57e22c7f700ffa5b9060c99eac5d6aa94d7ff3dc15aa9bf4b272d733c039ba7b384a6dccdee52b39d22a54b5fce0f749267988cbe0d59fdb5bcbc
-
memory/4204-6-0x000000001C900000-0x000000001C92E000-memory.dmpFilesize
184KB
-
memory/4204-2-0x000000001C140000-0x000000001C60E000-memory.dmpFilesize
4.8MB
-
memory/4204-3-0x000000001C6B0000-0x000000001C74C000-memory.dmpFilesize
624KB
-
memory/4204-4-0x00007FFA2F450000-0x00007FFA2FDF1000-memory.dmpFilesize
9.6MB
-
memory/4204-5-0x0000000001750000-0x0000000001758000-memory.dmpFilesize
32KB
-
memory/4204-0-0x00007FFA2F705000-0x00007FFA2F706000-memory.dmpFilesize
4KB
-
memory/4204-9-0x000000001DA90000-0x000000001DA9A000-memory.dmpFilesize
40KB
-
memory/4204-1-0x00007FFA2F450000-0x00007FFA2FDF1000-memory.dmpFilesize
9.6MB
-
memory/4204-13-0x00007FFA2F450000-0x00007FFA2FDF1000-memory.dmpFilesize
9.6MB
-
memory/4204-16-0x000000001BC60000-0x000000001BC6E000-memory.dmpFilesize
56KB
-
memory/4204-17-0x000000001E570000-0x000000001E590000-memory.dmpFilesize
128KB
-
memory/4204-18-0x000000001E5B0000-0x000000001E5C8000-memory.dmpFilesize
96KB
-
memory/4204-20-0x00007FFA2F450000-0x00007FFA2FDF1000-memory.dmpFilesize
9.6MB