68d0a1d350689e62429f1a0b8608d090509728c8c6da0900fea4318839f46f49

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
Size

61KB
MD5

19805cb31a4ea800469c2aa050008897
SHA1

dceca8a9b589bba6cab3a9935e15ff6259d17990
SHA256

68d0a1d350689e62429f1a0b8608d090509728c8c6da0900fea4318839f46f49
SHA512

1f1897c14ccfd4969e21551f77b99d1175ae87028543bc2185bf8ccaa734c89e261734119f63a189edd18686f98f14874726e864fac7f2d9fc45923e39a54701
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiISKSz3Ik:V7Zf/FAxTWoJJ7TTQoQIRG

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4753) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2052-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023442-2.dat	upx
behavioral2/files/0x000400000002291b-6.dat	upx
behavioral2/memory/2052-786-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_19805cb31a4ea800469c2aa050008897.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
62KB

MD5
98e7948375c9e98bf15938b9487654aa

SHA1
8c3df354e8b9c0f228da4452f37d93680bae8e5b

SHA256
e36f30488ca6d5d073226ecb1a0988351343363577b9a4e5b1d91f7ac59aaf0a

SHA512
c90c341b561f32ba6b296458c241c9a568b89618fcade4c7df3d1ea4dbf3b8e6609be986c12149001876f96cc9e5666f3de9c161bd122d51eefcc0c1a7e6dc29

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
160KB

MD5
95a34f6334c054f55f61352cd50beed8

SHA1
9493f600ae5b32f0787eb096f0c95bdbaa40c404

SHA256
3f8345bc8ffe43af4ed184c1a9956a7dbbc23c2d84cf345b828428a576f07fbc

SHA512
4fda0a7f0225d87cc33ee49489113958253acc324e1d57409f34da2e5553e122e06a9e54807bd090bac7cd068c9acd5ccd4b04ceede3445a083a5484b393496d

Download Submit
memory/2052-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2052-786-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download