trigona | 8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0

General

Target

8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
Size

1.1MB
MD5

1cd4ab809fb2a9eebb801ab9c9d4a545
SHA1

ce4f4ba93ec1adf8b5c3bac8552fbafd8dcddf27
SHA256

8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0
SHA512

db0476d3193a89104c116805eb34be5ea46774d77745b1e1ecfe48ec5a573e96150e9e48fcd630384c9bb88847ef12b46bd124b4b8ef1a072be4c1b319a76264
SSDEEP

12288:CU5s41o+T7VmjE2Tz23vxO3jWhn370VPWJFwBybD3Y5WrxqnuskDq4:t5swNmjEoujhn3wVPWJFwEQWV+u75

Score

10^/10

trigona discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5060-133-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-134-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-135-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-137-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-1325-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-4286-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-4621-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-4643-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-8946-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-14086-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-17231-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-17232-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-17233-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/5060-17234-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Drops startup file 1 IoCs

Processes:

8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

description	ioc	process
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0C8A55F86CC0CA7134CB6111B268C060 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe"	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops desktop.ini file(s) 3 IoCs

Processes:

8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

description	ioc	process
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\desktop.ini	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

Drops file in Program Files directory 64 IoCs

Processes:

8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

description	ioc	process
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\PAPYRUS.TTF	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MSTAG.TLB	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-125.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\bin\server\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholder.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_fr.properties	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\logo.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\da\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-400.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-400.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x64\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_altform-lightunplated.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_contrast-white.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-lightunplated.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\155.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-white.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

C:\Users\Admin\AppData\Local\Temp\8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
"C:\Users\Admin\AppData\Local\Temp\8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini
Filesize
2KB

MD5
5409b462027ccb268bf25b0d8c32b057

SHA1
2c27ff19a0d0680553e9a365318ed7faece05bff

SHA256
c113d583b7a124148e8d66301b8ab92651c04d91d09f64bbd766979bd577be8c

SHA512
754d666c7e2da1070ce619db9d77ed26591564756af8a4b4437b327758fbcdcc287087378a5387f650dcc7e84d3ee3dc0c753dc7ea704e698738e2183d9aa144

Download Submit
C:\PerfLogs\how_to_decrypt.hta
Filesize
12KB

MD5
9bb46f029aaa97771f0778564edd17fa

SHA1
7b60ab91415986d46bbf901e1fdeed3d6d37600c

SHA256
851af907a272f5f7adeff2a27dc27bed13d056cd0ef95d52d88ac7d79cd92b02

SHA512
f64e4c2cc85fc4a0a7de2980b1ae3e9d8c9c97f8b80ceca9bd98c30e4d46120b4123dfb9a507ce2c938109658fb8abdfc5ade8f97bbbd9ce7d38bc8d74126a08

Download Submit
memory/5060-4621-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-4643-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-135-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-1325-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-4286-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-134-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-133-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-137-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-8946-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-14086-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-17231-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-17232-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-17233-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5060-17234-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads