a988085ba5e2e6b458b46936525d7fac89c64d99d5dbed5474680a132fafbad5

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
Size

103KB
MD5

500837d9b424659fe8d003d5c8896931
SHA1

c6ace3849a7303d6ce3c08a3f8216cae92b44382
SHA256

a988085ba5e2e6b458b46936525d7fac89c64d99d5dbed5474680a132fafbad5
SHA512

359911deea699b40973361e28def6eb513d090e30246ca6b8716606e86e48eeba9a8ebd61aa069f13360af38d952c18d3ffb4579db901114bed3cfa48ababa21
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBU:PqFF2Ie+efsL1UabUaG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4243) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_500837d9b424659fe8d003d5c8896931.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
103KB

MD5
d419e4d71045e8167454d076a33d56cb

SHA1
603cb9acc4cba3e78e453124c22b0ec43798bb9f

SHA256
c1aa992da024c5dd1b3f8564cc26be84d8cf1470faea047c2c32b123bbc3d95d

SHA512
1232d6d436e6a24810f19896a3108a1a9cc7cf47becf3cf118429f1cae8943dd6ef0de8322cf183e2566af241eecf4626f62d13b090df7f2c76e58ff48c1087f

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
215KB

MD5
abc96978bb7586b5534ecb3e0f5766ee

SHA1
1ead5ac39a843e4834fc6cf018ad03fb4558d438

SHA256
f49e86b533d126d3a03cb24c9a273fe6680438ad13a290679c882b7a6821d2c2

SHA512
29c1ede0b53029fef94374f77f0141d9ecf94d291d0be3bf358079d99f0613941daa3713891219b446aa95045022cf79feaa169268e1e32c252c093a5bbb93fa

Download Submit