Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 12:46
Behavioral task
behavioral1
Sample
Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe
-
Size
115KB
-
MD5
5fe93dc75aa60c93321b4b91b1ca81da
-
SHA1
e881e6aeb09e0fc96f9c75d5d420c41f34651d2b
-
SHA256
8071fa5a060b5851fabe87f01a7188b57c3cac021aa01c42724d393f7cdab75f
-
SHA512
d36c0235e290f4362db25429e32b613cefd21abdd1da4f150ebb396c9003dbad1f7493bb280afc3dd7d833d6f277c7aaf501154064ec0880005b8cf40b71f2f2
-
SSDEEP
1536:V7Zf/FAxTWoJJZENTNyl2Sm0mKuC1TC1PM1mM1XUUgWIVD5IDaGZC09c51+EGgSf:fny1tE42EXUU7964ExSwDG
Malware Config
Signatures
-
Renames multiple (4140) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/4180-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x00090000000233e0-2.dat upx behavioral2/files/0x000700000002343f-6.dat upx behavioral2/memory/4180-628-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\AppXManifest.xml.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\7-Zip\Lang\he.txt.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_5fe93dc75aa60c93321b4b91b1ca81da.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
115KB
MD5972f1b46655439cc4d46843d3d146946
SHA14890203e8cf865930acacf8b21aa2b790d70f28d
SHA2569bdcfd8a7ecb08e246afcb7268963db36edb02e0a0f0c844ce171e305b98ee91
SHA51226980ff35a868a5547b05de41ea143eec6cea3a1c37b7f404e8ce1b26c4506ce5aa07ba63b10af5f97ac19c1e433f28f63a21e2f3d0fb60f28a68209e8d63dbc
-
Filesize
214KB
MD54aebec297eea5418b48474125a7255b5
SHA1b1ac7b4cb419247b1655b38e3245e6b1fcb3c0fb
SHA25641bb666752766e369d4f354a7eb79f8a2e588986fd9696b3ebf48cc3aa6da336
SHA5120bd61520d633ffa47202261d838efc0e5a6b6177334cde76a0214d950dbabeed1c6a5e83a9bff7051211c915192815cb9ce30dc87dbd1d72ee7ae25897195f16