trigona | f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e

Resubmissions

21-01-2024 14:53

240121-r9tawaddhp 10

17-03-2023 06:39

230317-helswaef33 10

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
Size

1.1MB
MD5

e248e214c121845e69bbf266cc9e2853
SHA1

683a1a845f0c2d0f358d62a450f710f960190f2f
SHA256

f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e
SHA512

d5a5968b079b2a561f2adeaa1cff9ba8e2faac242ef362894dde0b8f72ec725780da651950d06e2b019369f34dbbaf31a497440b4aabe7f8357f789bbdab9031
SSDEEP

24576:KYxvmwliqDHWHVjdzuM7Br+e5rh+u7z7k:Zvmw3UjnrP9gQY

Score

10^/10

trigona discovery persistence ransomware spyware stealer

Malware Config

Signatures

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SaveSkip.tif => \??\c:\users\admin\pictures\SaveSkip.tif._locked	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File renamed	C:\Users\Admin\Pictures\SendConfirm.tif => \??\c:\users\admin\pictures\SendConfirm.tif._locked	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File renamed	C:\Users\Admin\Pictures\UndoRead.tif => \??\c:\users\admin\pictures\UndoRead.tif._locked	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File renamed	C:\Users\Admin\Pictures\UseExit.tiff => \??\c:\users\admin\pictures\UseExit.tiff._locked	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File renamed	C:\Users\Admin\Pictures\WaitImport.png => \??\c:\users\admin\pictures\WaitImport.png._locked	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File renamed	C:\Users\Admin\Pictures\ConfirmEnter.png => \??\c:\users\admin\pictures\ConfirmEnter.png._locked	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File renamed	C:\Users\Admin\Pictures\RequestRemove.crw => \??\c:\users\admin\pictures\RequestRemove.crw._locked	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File renamed	C:\Users\Admin\Pictures\SaveUpdate.crw => \??\c:\users\admin\pictures\SaveUpdate.crw._locked	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\pictures\UseExit.tiff	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4F1DC8BDB7E6F6F63ABE2FA97B8CE30C = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe"	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops desktop.ini file(s) 32 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\dataservices\DESKTOP.INI	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\3d objects\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\common files\system\ole db\es-es\sqloledb.rll.mui	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-compat.xml	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\MondoVL_KMS_Client-ppd.xrm-ms	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\application\92.0.902.67\resiliencylinks\visualelements\SmallLogo.png.DATA	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\application\92.0.902.67\trust protection lists\mu\Entities	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\share.svg	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\application\92.0.902.67\resiliencylinks\locales\or.pak.DATA	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fr-ca\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\google\chrome\application\106.0.5249.119\locales\vi.pak	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\ProjectStdR_Retail-ul-phn.xrm-ms	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\logoimages\OneNoteLogoSmall.contrast-white_scale-180.png	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\templates\1033\ApothecaryLetter.dotx	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\acrocef\icudtl.dat	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File created	\??\c:\program files (x86)\microsoft\edge\application\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\core\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\integration\C2RManifest.wordmui.msi.16.en-us.xml	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File created	\??\c:\program files\videolan\vlc\locale\ks_in\lc_messages\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\spectrum_spinner_process.svg	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\hu-hu\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\selector.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\7-zip\lang\ka.txt	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\jre\bin\verify.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilesx64\microsoft analysis services\as oledb\140\cartridges\Sybase.xsl	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\videolan\vlc\plugins\demux\libvc1_plugin.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\resource\font\ZY______.PFB	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\application\92.0.902.67\trust protection lists\mu\LICENSE	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\ONBttnWD.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\common files\system\ole db\msdasql.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\en-us\rtscom.dll.mui	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\Publisher2019R_Grace-ppd.xrm-ms	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\odbc drivers\redshift\lib\sbicuuc53_64.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\google\update\1.3.36.151\goopdateres_hi.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File created	\??\c:\program files\videolan\vlc\locale\fa\lc_messages\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\common files\system\ole db\sqlxmlx.rll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jre1.8.0_66\bin\tnameserv.exe	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\MondoR_OEM_Perp-ppd.xrm-ms	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\breeze\PREVIEW.GIF	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\reference assemblies\microsoft\framework\v3.0\ja\System.Speech.resources.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File created	\??\c:\program files\videolan\vlc\locale\ach\lc_messages\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\combinepdf\js\nls\de-de\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\uk-ua\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\7-zip\lang\bg.txt	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\edge\PREVIEW.GIF	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File created	\??\c:\program files\videolan\vlc\locale\si\lc_messages\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\videolan\vlc\plugins\stream_filter\libaribcam_plugin.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\hr-hr\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\release	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-files\js\nls\hr-hr\ui-strings.js	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files (x86)\google\update\1.3.36.151\goopdateres_hu.dll	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\ClientSub_M365_eula.txt	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
File created	\??\c:\program files\mozilla firefox\uninstall\how_to_decrypt.hta	f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe

C:\Users\Admin\AppData\Local\Temp\f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe
"C:\Users\Admin\AppData\Local\Temp\f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini

Filesize
910B

MD5
7a41e2fea0592ae660d12cce31d8c6a2

SHA1
fa95136e6a211c33c7bd89903a525493e8a6dc41

SHA256
f0daffb30f94f7e9f88e9d3b7b70398c64f36eb3edc17be9671c7c3eff44daa1

SHA512
da5310a3a3e8fd7fc086496f63726c98fc61c7e0b245bfc5a10694e626003f2e2bf70cdb3080b8dcf5d29b16acd7b1967853aa5e1624a1bd1c181d137f10c0e8

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
daa6a3f611d8d7507b173af96ffa8110

SHA1
88f697457e732f541a0026c971ea5213ee50b763

SHA256
8ac15c9e3107feeb44abfd5deb24194038a8ead129f7af27217c9215441b8823

SHA512
91a5eb08761bececc44588459cd37064b26f770dad4c817e8644971e3e40d66a6a6ba1b23888cf3c237b0c7d48cfc21577e4385965a64352846c350d1c790e3e

Download Submit
C:\odt\how_to_decrypt.hta

Filesize
10KB

MD5
73b6a3e526f2f1887ddcd1f7de12d8f7

SHA1
9b030bdb860edca3b315886988fd0fc99fa7efd2

SHA256
0a44c5b1b1edfaff7af27d17280cbcf1c06679820cd05e5efdea26966bf6ad78

SHA512
e1708aa47f427d29cce4083628fb39fac6d8a89fb86b33d9b3630fecb94cc20a7ff67f6101d8e125a37399a5c09972cd59af878bdbd1bb962b03405536c64d75

Download Submit
memory/4540-10060-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-15329-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-135-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-1490-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-5485-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-133-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-12894-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-137-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-18462-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-23622-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-29093-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-32069-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-134-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4540-36372-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download