trigona | b49bf3a4baf637e067a8db7360051eba39713b7958519b49f8e236b6014c8477

General

Target

Trigona.exe
Size

1.1MB
MD5

2c31a750240788f924ef64a2fb4fdf3b
SHA1

c9c6a7f911d16b49d8b838dca3683357b72c9d6d
SHA256

b49bf3a4baf637e067a8db7360051eba39713b7958519b49f8e236b6014c8477
SHA512

1e36c96110b793bfea2e65f6ff4c0e59a0a6b8f86395d7be6497be264954ab9b7c61d0adfa85dcef5ce69afe4b200b3ece82cbf089264f7d648eaaa53acbd50d
SSDEEP

12288:XRYqX7pdDWExBDmkYhiPJSA0IqOO2vBwRns2MqnuY/gtTyb7:hY6frxBDmkY+Jr0Iql2v4sx+uxtTyn

Score

10^/10

trigona discovery persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1436-133-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-134-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-135-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-137-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-138-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-147-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-148-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-816-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-1931-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-6708-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-9725-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-11130-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1436-14297-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trigona.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D8850498D901C918572BCD92B45BC114 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trigona.exe"	Trigona.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops desktop.ini file(s) 4 IoCs

Processes:

Trigona.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini	Trigona.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Trigona.exe

Drops file in Program Files directory 64 IoCs

Processes:

Trigona.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\jce.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	Trigona.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	Trigona.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\lib\jfr\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll	Trigona.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\how_to_decrypt.hta	Trigona.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Trigona.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msador28.tlb	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	Trigona.exe
File created	\??\c:\Program Files\Java\jre1.8.0_66\bin\dtplugin\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\default.jfc	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jli.dll	Trigona.exe

C:\Users\Admin\AppData\Local\Temp\Trigona.exe
"C:\Users\Admin\AppData\Local\Temp\Trigona.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini

Filesize
2KB

MD5
6a2c928d2824694fab6bc4f7276185cf

SHA1
1de95accd23014174daf5c6ad9b71dbff09f1998

SHA256
1c1663faed9b8ad4b412aa945ce3747c50f5e6de42b5166108ef21c06eebd260

SHA512
13a2e02cc99dd92a87b7bddd4149a4f4714d85618abf5bf2a2951aeadfd66d592b44aa72aa7ed0af52717cf5093bbb29f48c7bb3d8fe9a1283b3257b48a4f355

Download Submit
C:\how_to_decrypt.hta

Filesize
11KB

MD5
f5b3a9599a125aae946e2d87d4c82665

SHA1
4f7578fcb0ccb00f4d6f188dcd1b83a6e9529c6d

SHA256
ff0e1e4120a114018ff457d63d23668d73b01f138c8c43cb097dcc945349d02c

SHA512
35b815181a5bcc4218927d74efed64f66e79b2f87d6d7fca4c1c37d1b3074a6c6a69e9bd94c95f83ce6efcb9d3873190c9ef7b104163c1e426b11eaee352c662

Download Submit
memory/1436-138-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-816-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-133-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-147-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-148-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-135-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-134-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-137-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-1931-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-6708-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-9725-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-11130-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-14297-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1436-16986-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads