10a28da80db0af3e201bfb776a055848068180e2cbbf47934f9266c9bfda733e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
Size

62KB
MD5

27c29fc73e8930b27cd405ce257222c0
SHA1

eeff1fc52df35f8efaaa672799e832b2b1a4c747
SHA256

10a28da80db0af3e201bfb776a055848068180e2cbbf47934f9266c9bfda733e
SHA512

4d2362e69b24c04adc8a1cba25cdd14adfff8b29fbb8e5f16c8be7b42699f38618476723daa2d7e3ddc1f80be0a241c3819fc4dfefc17a09be8cf65472372035
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9SBo7Bomu1J4x:V7Zf/FAxTWoJJ7TFuz4x

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3442) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-2.dat	upx
behavioral1/files/0x0008000000016d3e-6.dat	upx
behavioral1/memory/2528-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Detroit.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Windows Media Player\wmpnssci.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jre7\lib\charsets.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jre7\Welcome.html.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Mozilla Firefox\omni.ja.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPSideShowGadget.exe.mui.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\ConvertToStart.wpl.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_27c29fc73e8930b27cd405ce257222c0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
63KB

MD5
67079a8bf4d4f10202ef02aeac9e5fca

SHA1
14d14b6f734070a548f3361b2782199c5edbd2d1

SHA256
b40c7a457f7b892cdd94ef27385b4881836680ae28a509a210fbe29144dc2fb1

SHA512
e05d078f8c98af664d46807bddf354d22912b82291c7ccc0365579be778d362bde1af03c8b960c96b603ea2ca9eb9f6cca385dbabab4fabff579d53730f8d8c0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
72KB

MD5
508df9059878ec8a874421bdcdcec15b

SHA1
1ece27c693446f7ecb0df1bfd356a18f15e11d0b

SHA256
66f4d13217ff9b9f85915ca4938886aca78f1d1d7b9104cfcd528d5f11590d09

SHA512
ccf75104b28b13e80eba0322261573885ecd839a9f720d2fe037e31ef35c349cfb074ac00f9654befc889ffdc52430bd9a3f815736f3548e451e5fbf64904ae1

Download Submit
memory/2528-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2528-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download