36f088729d355e5c4f7e16a0bb5b72a52d8c17a8d90adeac2b4ae241c04dd53d

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
Size

71KB
MD5

c012179cf4b0934f89f02ed34635644f
SHA1

4fc1d2c63f3e02d48bbaa03450abcade256f89a6
SHA256

36f088729d355e5c4f7e16a0bb5b72a52d8c17a8d90adeac2b4ae241c04dd53d
SHA512

d34a325998ce58e8cf3f05a004946ec214779ea8a75b6bea2fc713f6584c910d7375b943a424f57b90e9a12d0ecf38f9d5d06184e6a006b0cf6f54253ddbf746
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATBWvyBh85c54wWq:V7Zf/FAxTWoJJZENTBWv36Z

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3149) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00080000000120fb-2.dat	upx
behavioral1/files/0x0008000000016398-6.dat	upx
behavioral1/memory/2504-48-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Common Files\System\msadc\handler.reg.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Chita.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Malta.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Mozilla Firefox\postSigningData.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Manaus.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.tmp	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_c012179cf4b0934f89f02ed34635644f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
72KB

MD5
9e0543c117f6c7237a5712ffce67febd

SHA1
8f6d9cb0a976eda2891bd6604997c47d80db8754

SHA256
b5d6d37cbd36c459bac26da01f8f19b867a0af884d2a715abe24122497c61f20

SHA512
d82277aee55130781eb2a7563338fe325fd2e65e7d5edcbadfe862202fbcace12c168150d2a0d68b97ad0b3eeaa719d467d42f97a3c6f55e27ec2705028fdd32

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
81KB

MD5
b74bd4da0f55efdc8645eab93c9e2d64

SHA1
60e46c2baf98a9a3da500b96e3817f595a3a6993

SHA256
c99f9d497b3298f90bb03ffdab7dc9b62b59a1e90cb6f8902b49e67a42c17df3

SHA512
8fd2e8ef30bbb9911afc5751a98e68f2ca43fc83e3e5e207029106f0af54071d676c54237e5d82906002dd0e9d86473c82691d6587ad442aa41f644a2d53b8ce

Download Submit
memory/2504-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2504-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download