Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2023 07:15
Behavioral task
behavioral1
Sample
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Resource
win7-20221111-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
-
Size
1.1MB
-
MD5
67dd0708a2dcbe6b7661fd5eb4593ea7
-
SHA1
3d496563984c73e129577da8ca87d3e823fdcce4
-
SHA256
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2
-
SHA512
6dc6949196b6aa1e44564c955bf02b45e74247c23408e24fe206087725922dcb5cebb5db58635414313e6c96cfba26758919509ecd0e19832506069236dd9c21
-
SSDEEP
24576:oYj5E9T+xHeQhNmYOnW8FQrbID+u9v1Qs:Z5E9LQvRrtSvB
Score
10/10
Malware Config
Signatures
-
Trigona
A ransomware first seen at the beginning of the 2022.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6D865A3B0874323B88B95678D019511E = "C:\\Users\\Admin\\AppData\\Local\\Temp\\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe" 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_hu.jar 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\t2k.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\MSCONV97.DLL 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2native.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jre1.8.0_66\bin\jawt.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\sawindbg.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\PREVIEW.GIF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\cs\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ucrtbase.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B214D8B3-D494-4CED-AFE3-3EE6CE0F68C8\root\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe"C:\Users\Admin\AppData\Local\Temp\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:4460