Overview
overview
10Static
static
10Channel.url
windows7_x64
6Channel.url
windows10-2004_x64
6Robot.url
windows7_x64
6Robot.url
windows10-2004_x64
3Thanks.vbs
windows7_x64
1Thanks.vbs
windows10-2004_x64
1Trinity to...ls.exe
windows7_x64
10Trinity to...ls.exe
windows10-2004_x64
1Web.url
windows7_x64
6Web.url
windows10-2004_x64
6Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 17:42
Static task
static1
Behavioral task
behavioral1
Sample
Channel.url
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Channel.url
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Robot.url
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Robot.url
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Thanks.vbs
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Thanks.vbs
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Trinity tools/Trinity tools.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
Trinity tools/Trinity tools.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
Web.url
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
Web.url
Resource
win10v2004-20220414-en
General
-
Target
Trinity tools/Trinity tools.exe
-
Size
2.0MB
-
MD5
e7b2ec931a901deaf75675100c4ca218
-
SHA1
c21e278f5dd73d8d7fe40ed143b6bd0f422bcd2c
-
SHA256
6858f40193bfb7fb23c1454f39dc931cbd5ecdb7307e42b944b4efa4a3861f1a
-
SHA512
d8f125ef97d68414173cde8a47fc3206247061549a03fcd639f7befcf9052541f81e463884d954fa86a41143a7fae7436b2d7286648935cf97ab35669919c44d
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
Trinity tools.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Trinity tools.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
Trinity tools.exepid process 1788 Trinity tools.exe -
Loads dropped DLL 3 IoCs
Processes:
Trinity tools.exeTrinity tools.exepid process 1672 Trinity tools.exe 1788 Trinity tools.exe 1672 Trinity tools.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
Trinity tools.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe Trinity tools.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe Trinity tools.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe Trinity tools.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe Trinity tools.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe Trinity tools.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe Trinity tools.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe Trinity tools.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe Trinity tools.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe Trinity tools.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe Trinity tools.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe Trinity tools.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE Trinity tools.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe Trinity tools.exe -
Drops file in Windows directory 1 IoCs
Processes:
Trinity tools.exedescription ioc process File opened for modification C:\Windows\svchost.com Trinity tools.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Trinity tools.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Trinity tools.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Trinity tools.exepid process 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe 1788 Trinity tools.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Trinity tools.exedescription pid process target process PID 1672 wrote to memory of 1788 1672 Trinity tools.exe Trinity tools.exe PID 1672 wrote to memory of 1788 1672 Trinity tools.exe Trinity tools.exe PID 1672 wrote to memory of 1788 1672 Trinity tools.exe Trinity tools.exe PID 1672 wrote to memory of 1788 1672 Trinity tools.exe Trinity tools.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trinity tools\Trinity tools.exe"C:\Users\Admin\AppData\Local\Temp\Trinity tools\Trinity tools.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Trinity tools.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\Trinity tools.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Trinity tools.exeFilesize
2.0MB
MD5248cfdbd4a4e226783b552c8ee428d84
SHA1723a363dfea9d4ba9bacc3abd74af637198779d6
SHA256dfad6c9252ac99aca8b8e80fa74399ee6aa81e0b9d252bfd78a38c1e32ccd6c0
SHA5128a164dc439feec1d69255e5cca7dec631cf882734bc9f4726f17750875b65bd03285e4a91a6f007616bcf882d6d53a1864eef4bf98b2029ca88ca6e2b118ef40
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Trinity tools.exeFilesize
2.0MB
MD5248cfdbd4a4e226783b552c8ee428d84
SHA1723a363dfea9d4ba9bacc3abd74af637198779d6
SHA256dfad6c9252ac99aca8b8e80fa74399ee6aa81e0b9d252bfd78a38c1e32ccd6c0
SHA5128a164dc439feec1d69255e5cca7dec631cf882734bc9f4726f17750875b65bd03285e4a91a6f007616bcf882d6d53a1864eef4bf98b2029ca88ca6e2b118ef40
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\Trinity tools.exeFilesize
2.0MB
MD5248cfdbd4a4e226783b552c8ee428d84
SHA1723a363dfea9d4ba9bacc3abd74af637198779d6
SHA256dfad6c9252ac99aca8b8e80fa74399ee6aa81e0b9d252bfd78a38c1e32ccd6c0
SHA5128a164dc439feec1d69255e5cca7dec631cf882734bc9f4726f17750875b65bd03285e4a91a6f007616bcf882d6d53a1864eef4bf98b2029ca88ca6e2b118ef40
-
\Users\Admin\AppData\Local\Temp\5d12d3c9-eb00-42b6-9da7-f66c67118b8e\CliSecureRT64.dllFilesize
100KB
MD50d104c0e4e5789897f8990f2fd8440b2
SHA1200f737dbc44db346fb35ccdfb7525bc5d45a62b
SHA256afc73b7b10b6b7414b4668a83a7214afe26047c5624e996a329cb2700e85a27c
SHA512ee40d662f9aee18c4e098ae97812e5904bb2958f0830890086bfdad07e0dec8e4792c196ba1ed01ef4ea7c5ef74c26f88fb42932a319034e6966596fb4d14d15
-
memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmpFilesize
8KB
-
memory/1788-59-0x0000000000250000-0x0000000000448000-memory.dmpFilesize
2.0MB
-
memory/1788-61-0x0000000180000000-0x000000018001D000-memory.dmpFilesize
116KB
-
memory/1788-62-0x000007FEF6810000-0x000007FEF693C000-memory.dmpFilesize
1.2MB
-
memory/1788-56-0x0000000000000000-mapping.dmp
-
memory/1788-64-0x0000000180000000-0x000000018001D000-memory.dmpFilesize
116KB
-
memory/1788-65-0x000000001B9B0000-0x000000001BB46000-memory.dmpFilesize
1.6MB
-
memory/1788-66-0x000000001B0D7000-0x000000001B0F6000-memory.dmpFilesize
124KB