3f9bf898a10b7b6572b0f44b9b65beaa90226648043825782ab315bfd5990486

Analysis

max time kernel
150s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
Size

56KB
MD5

78afb5926adc94d21ef71aeabb1cbad9
SHA1

3cc81fe97895382c8a5a400e8ec474f35476a81c
SHA256

3f9bf898a10b7b6572b0f44b9b65beaa90226648043825782ab315bfd5990486
SHA512

1799e08f67b63e8f09f331ac4dc322fb5a7d492cbfac33d86046d4dc2369c2a9dab03211dafb77d7c6841590ebcea8431714382d6952088a2f7c2f29149341f4
SSDEEP

768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKF9ADJu:V7Zf/FAxTWoJJZENTNyoKIKMg

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4587) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2912-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0009000000023461-2.dat	upx
behavioral2/files/0x0014000000022936-6.dat	upx
behavioral2/memory/2912-638-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\DisconnectWatch.ADTS.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.tmp	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_78afb5926adc94d21ef71aeabb1cbad9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
57KB

MD5
3916af54083806143907fc9d0c84da59

SHA1
4eee0b5bbaacdf8a67fbea3ac446fdd8ec31fe75

SHA256
c1b3d194f92931c352e035da015be4093c5d3193f476c7ad61ee81ef8fe28a0a

SHA512
5880cd6ee1ecf12f6251d2783af460dad916d22707f10704a5cef3ed1bde19f5832f827dc8de1aa56ef6c90e89857bf787ca66f8a71f6c74cd2939848164f195

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
e22a4201227e03cb5f00c7f36c77203f

SHA1
428a960f250231bf4873424948d7fa0bdec72b9f

SHA256
dfbf86b4f5fc3018fcf9b2f009894b018c6ac0006e9411eb15d5c1ad78b44869

SHA512
a834e46da91d9bf83a6eef4617195e29bed0186099a00be6c40dd5ccddc2c4abb8f1d95d4c35d308690057631d995c11e0371d13cdbacf7581baa67a5b09a0a6

Download Submit
memory/2912-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2912-638-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download