Analysis

  • max time kernel
    116s
  • max time network
    173s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10/02/2025, 04:34

General

  • Target

    VirusSign.2023.11.29/04d25950be48329252ec8b3d53535596.exe

  • Size

    123KB

  • MD5

    04d25950be48329252ec8b3d53535596

  • SHA1

    67a1354b37307912849be0b07a67049cc97a341f

  • SHA256

    ad983be72d099c4e0e9c9afad9f84c1d163eb1d2e01c2b0b311335d16a368d38

  • SHA512

    02aed4c430b728cad12964e4611d7eea673e2c7eae7ea9a8ea616948b4081459a308070d824ff4b5f7f52ff2669715d074c6071ee57679a3727c5f3ce2d65467

  • SSDEEP

    3072:PfU/WF6QMauSuiWNi9CO+WARJrWNZIYvQd2b:AWKauSuiWNiUBRJrW7fb

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04d25950be48329252ec8b3d53535596.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04d25950be48329252ec8b3d53535596.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2784
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04d25950be48329252ec8b3d53535596.exe" >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Update\wuauclt.exe

    Filesize

    123KB

    MD5

    fa8d9eea650bf647552557dab28174fc

    SHA1

    e307f50bc6157a5372244325ede645817230667f

    SHA256

    e32313efbb1eef78a70d42c41851173faef4b91442fcda980a6aec3a9cb8b365

    SHA512

    ff6bd0f72ff26871d812416298a0f0c9deaae1b85f4a03039c6de84a2333d6acf2c90987b50c0a1a6aa73169e71c0c04ff28bc4aa396ab5ac38252a2756ea260