0b2b1291bf52482f2cb3b56cb919775b07d5cbd61363427183f386828cbd79c6

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
Size

40KB
MD5

f288f768b07345234b5a7665053bb587
SHA1

edeadaf50e32160ad6b3ef65664c502ebeb0f4c6
SHA256

0b2b1291bf52482f2cb3b56cb919775b07d5cbd61363427183f386828cbd79c6
SHA512

131eacf2d185a6694ae602f054f30c4b046d24e1624cda7a5bad4639f6a51b0aec1e33bfcde6f9903194f1973c1054280faae26f7ac1e7a292a62079231b6238
SSDEEP

768:kBT37CPKKdJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiISKSz3D:CTW7JJ7TTQoQIRU

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4725) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3944-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000233fc-2.dat	upx
behavioral2/files/0x0004000000022922-6.dat	upx
behavioral2/memory/3944-693-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IVY.DLL.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_f288f768b07345234b5a7665053bb587.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
40KB

MD5
71321c211e2fa3e0a7d2cbf755330878

SHA1
55ef7b299846987e0fd075e0b76289d8f9e30f8f

SHA256
7d64adac77b02f931008eec3ef24c41aaea86ef836be8a17405c9d1bfe2c2e9f

SHA512
6c36c3960b4a1ad6e630d1edcfd1e38e8b43d866da3532f6a9a1492bd976d591f627755588c6f5fb497ce80d3f09cb8f98f6ba47d69dbf4c21552d2883579db6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
cafe11fbc59317e5cd8df73b0a2e6c52

SHA1
53c4290c4ce266fc18ce545aba97ba351f767454

SHA256
9190b3cc77ec616e8e29e97d28f7a11659bbb27f0b643407400ef922a0dd3943

SHA512
6c1b09a0139f8e9dd2a7e13aec8c77da31ea9a8cce357d65eec71010f11105486a4a7886e53e72e1c728a0ffe93ff90504403ccde6f548f1c0960082b21b46b1

Download Submit
memory/3944-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3944-693-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download