2c72c0c7ee3e2a01a34bb340b047f99869cd7875a0988320d1619c5af3ececac

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
Size

41KB
MD5

a9e5fbd715a8d86aae9608c29711944f
SHA1

e6e27bdeaabf70d5f0b7bac61ccbb1c02a1d13ed
SHA256

2c72c0c7ee3e2a01a34bb340b047f99869cd7875a0988320d1619c5af3ececac
SHA512

d95610b22f668f8e3820b17e3561ff3aa566002cd47d00f9c51f09b2a9a03137b12f1a3d300280c8827f441cf86494b41252dbb53bec206bd08961a0210590df
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsSccer0kV7r0kVz:W7ZhA7pApM21LOA1LOl6vSccb0s0z

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4372) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\ClearUndo.cmd.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_a9e5fbd715a8d86aae9608c29711944f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
42KB

MD5
326714aec2eb0abe5ed208917837caf8

SHA1
051a803624d2d21629cbe275926cc95b46bbb4e6

SHA256
78380c9d6c64c3aa295a3192bb3a471e05e48b336b02ac5891af78faaa887e02

SHA512
f25338993fcbb8db5ae314ee8f551bb43f6b128351f637b1404d6471cb814364fe9775a844f0c6d341ea85e2c35ff81a5c45a51a6c6add3a596877f2db95b723

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
03b1905e3698e0a4e7519ef24d76aaa7

SHA1
c3c8172046c23ce870ecf5aaf88603870ddf8ee5

SHA256
3e1ce2a7ede29a7ddf867b20a5f665f8e740f895f031a913d95c417e437f4a88

SHA512
608d459433a691407e50c9c63c417e87284b3ddbc8d348a2f250d2a046f9426b0c333ac4b0061bec699446a85088819b9953e67d50a1b790598efb682ef3a3e4

Download Submit