trigona | b49bf3a4baf637e067a8db7360051eba39713b7958519b49f8e236b6014c8477

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trigonaexe.exe
Size

1.1MB
MD5

2c31a750240788f924ef64a2fb4fdf3b
SHA1

c9c6a7f911d16b49d8b838dca3683357b72c9d6d
SHA256

b49bf3a4baf637e067a8db7360051eba39713b7958519b49f8e236b6014c8477
SHA512

1e36c96110b793bfea2e65f6ff4c0e59a0a6b8f86395d7be6497be264954ab9b7c61d0adfa85dcef5ce69afe4b200b3ece82cbf089264f7d648eaaa53acbd50d
SSDEEP

12288:XRYqX7pdDWExBDmkYhiPJSA0IqOO2vBwRns2MqnuY/gtTyb7:hY6frxBDmkY+Jr0Iql2v4sx+uxtTyn

Score

10^/10

trigona discovery persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2148-133-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-134-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-135-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-137-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-139-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-146-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-760-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-908-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-3944-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-8060-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-13202-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-16431-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-18559-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/2148-19303-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trigonaexe.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F102B9479A4AA60A9B84083285083B1B = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trigonaexe.exe"	Trigonaexe.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops desktop.ini file(s) 4 IoCs

Processes:

Trigonaexe.exe

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-508929744-1894537824-211734425-1000\desktop.ini	Trigonaexe.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-508929744-1894537824-211734425-1000\desktop.ini	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\desktop.ini	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Trigonaexe.exe

Drops file in Program Files directory 64 IoCs

Processes:

Trigonaexe.exe

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll	Trigonaexe.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\how_to_decrypt.hta	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-locale-l1-1-0.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll	Trigonaexe.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\LanguageModel\how_to_decrypt.hta	Trigonaexe.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\how_to_decrypt.hta	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jawt.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-125.png	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msadomd28.tlb	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\plugin2\msvcr100.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms	Trigonaexe.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\how_to_decrypt.hta	Trigonaexe.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\how_to_decrypt.hta	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF	Trigonaexe.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\how_to_decrypt.hta	Trigonaexe.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\how_to_decrypt.hta	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\MedTile.scale-125.png	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core.xml	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-125.png	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\ConfirmDeny.easmx	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\mux\libmux_avi_plugin.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-125.png	Trigonaexe.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\how_to_decrypt.hta	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML	Trigonaexe.exe
File created	\??\c:\Program Files\Windows NT\Accessories\how_to_decrypt.hta	Trigonaexe.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\how_to_decrypt.hta	Trigonaexe.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat	Trigonaexe.exe

C:\Users\Admin\AppData\Local\Temp\Trigonaexe.exe
"C:\Users\Admin\AppData\Local\Temp\Trigonaexe.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-508929744-1894537824-211734425-1000\desktop.ini

Filesize
2KB

MD5
e212f5cd7bd884561957c016eae78506

SHA1
43fce51d252a1dc4aa37fe09811d5b07d9c36039

SHA256
1c9e1696532588cafcf6836afdb98793da7a1b2606f9f47914921eefe58885c8

SHA512
3b8c5964294dce054debd1820024d4243a219018a292702adbc2c6a60d6507e9e62b1ba433fdc80ee21af83a79845f49b59fc070e3dd1f2233d1c3dc8f8e1233

Download Submit
C:\how_to_decrypt.hta

Filesize
11KB

MD5
a782c4101d022d920d36c875d67e7018

SHA1
817cdde2b577fbcb0ea50a2b49c8af1f9c14954a

SHA256
590e486a255dc458d6a403b885796ea125e4c26409d8b305cb0a5b3c98f4c358

SHA512
b3df396fe9568f8ab9075b3e9e1af222bb4cbe97034f6df746cb718f23259c0bba35f50e04d25be4ccfb012cdddc7852748006e54534539a7a6c3e71c31dde86

Download Submit
memory/2148-760-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-908-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-139-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-146-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-135-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-134-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-133-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-137-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-3944-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-8060-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-13202-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-16431-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-18559-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2148-19303-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download