Analysis
-
max time kernel
150s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2023 12:55
Behavioral task
behavioral1
Sample
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
Resource
win10v2004-20230220-en
General
-
Target
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
-
Size
1.1MB
-
MD5
eb9fdc083164c0cead39fecaad9aafb4
-
SHA1
19c8782165f56d4153658da5f88f9edd14ae2022
-
SHA256
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376
-
SHA512
c4c54de23730f5265d29372c21f4f2212a0204f9b83d7fba5dacb0578fbe9f1c95e7521ff892364253f0cd8f4cfbf5befbef387af942714eb4b1b983b0258603
-
SSDEEP
24576:2Y5sZYIcpO4Y4w+xEjN7oQr+O+uvjx8t2mEdp:/Y4470JYj+kmEf
Malware Config
Signatures
-
Detects Trigona ransomware 14 IoCs
resource yara_rule behavioral2/memory/2704-133-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-134-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-135-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-137-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-139-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-1080-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-2831-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-4238-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-4239-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-4841-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-6007-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-9154-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-12590-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/2704-15768-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Drops startup file 1 IoCs
description ioc Process File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B1785F8BE82DCC36CA3ABB3C93156F22 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe" 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\pl-PL\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\FPA_f33\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\Windows Photo Viewer\en-US\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\pt_BR\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\msdaosp.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Internet Explorer\images\bing.ico 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_it.properties 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jre1.8.0_66\lib\javafx.properties 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\am\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe"C:\Users\Admin\AppData\Local\Temp\8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5acb3c7f34c4249cbde349a65298cf018
SHA19d53910d38c3e0206728b09ca97795a5e8d41bef
SHA25606dbe68b6f93d4c9bf92ebd6437966585c0d501a33483d3e00fa610c2ebb5e75
SHA512a6516de93242db1bbffdf54af87ecdc6d81a6902ae2a925d2f0c9452900f712fcf13e6f3eba3018a2bd991711c5c981ef5edac7c8e2d375cdf817e21cec3b0a4
-
Filesize
12KB
MD51e699be31956fff6c200b584ba94765c
SHA16008fd7e136b69083c6c36a8ea1792b4a5911c3a
SHA256e851eecc74e557221825d66ca885bcf16602037557a6ee902de8fe13f4a16cbb
SHA51283f60c1fca8a4d471dfd4a81fc1a361303963f48c7e91ca7cac12e7e97e98484f158af175e663eda8c72cd624963eccf022c92a107a4da557d285d253d03ea71