dbd6a8cded4e1c377770f79a34a43f06a4c3a1e873297d841fb22b58ab967092

Analysis

max time kernel
150s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
Size

49KB
MD5

5095fd55dbb1d0e33307da678eef9670
SHA1

c786add4a0e645b37480d58f10542d63afe87d4b
SHA256

dbd6a8cded4e1c377770f79a34a43f06a4c3a1e873297d841fb22b58ab967092
SHA512

889e5d143a07cb11ed38237bbd0364157f3b6bb64a87d56fbd3f0c87552d57a7c804eecafbca1c7350a61d0cba1b17f0d80fd1b0d37d33c890f897f13ec1f0a1
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLY2kPWG3PWGD:W7ZppApBULcfpHLcfpyDf2kPWG3PWGD

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4613) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_5095fd55dbb1d0e33307da678eef9670.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
49KB

MD5
01ead60426a57db272f799e887ccd92b

SHA1
2c7d5817679320a4a729c127f6ce4af90f443c3c

SHA256
c1abcfdebf230e48eb1f9fa2162e55b61cf57725dfe8c813f2d2220433f671ac

SHA512
e40eb54d343e51422868484731c36bb0310d5d17522d46e057d2fde94a97c9e06c10fa11001788042dffdc771edb259a8b2f4b87538a9ea461a96867d29c09ce

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
b4289a5a02dc53e54b5736e6176a3f9b

SHA1
4dbc78d9280a2a9bfa4ea71474ff1130401942e4

SHA256
a2965f7c9227dfbf788a93618c7d84dfaaa563aaafe18b484ac3c93b613655fc

SHA512
32c9ef8d936f7f5ebb0d909695571ca2b5bf19571111ded89d6cf1008f0088f8458c14415a1828ec950a562ec41658167e1376889d790d045f94e028a1e7fc48

Download Submit