268b0bb7f1cfc26b4c6b1a41462e9898a39b35cace21b708f3c61e1026ad1893

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
Size

66KB
MD5

4ef59e097da7416c19a723eed29762fe
SHA1

f2a4f4dd0d024ebfd29b94e2f1a1b4cd01cb0ade
SHA256

268b0bb7f1cfc26b4c6b1a41462e9898a39b35cace21b708f3c61e1026ad1893
SHA512

1515108c9e16849ce5e95f6591b45380f5dd16534011070d326d4f86d7cb462cf680e81cb0b6ace53746c19a58ed72cde9f3463b9d292080e5bb59c1a9d012d2
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8IZTkb/bM:KQSo7Zgrg

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (3214) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2280-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0009000000012117-2.dat	upx
behavioral1/files/0x000c000000010546-6.dat	upx
behavioral1/memory/2280-69-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\RevokeEnter.ps1.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jre7\lib\classlist.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Danger.ATA_virussign.com_4ef59e097da7416c19a723eed29762fe.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
67KB

MD5
d0741974f64d9b0ce7ac897862778129

SHA1
7b2be994feaf6ef16aa3843911f09c28a82bba53

SHA256
b0769ae95851c28dafbf62863ece22b7f17b4eab3be9bf09346ac0e6270353ec

SHA512
cab1cdf4b6639d51a705ddc1ab17be8fb8d8ec7bfa479723e772c3d20ad2bd764e4536c60b2e4c06c5a225056c29d32aa00866d8de50546d0019c64913b040c8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
75KB

MD5
fd51c2fade0b0144ed6608f0ac2c1a8b

SHA1
2c42077885deb88407649ffe886da1d3065174d5

SHA256
1ec16c6ba4959d00e27c8e33478fb4c370de2165226416f91cf816cc20b33af1

SHA512
9c437c0e3e0c08135cbf81463a40ffb53b7266139be4ba165e0ca1b8bd8779efadc580bbb4c82eb381657f512c53532afbbe418190cab96d8a9e74394b5dc9af

Download Submit
memory/2280-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2280-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download