trigona | b49bf3a4baf637e067a8db7360051eba39713b7958519b49f8e236b6014c8477

Resubmissions

21-01-2024 14:53

240121-r9a5asead2 10

30-06-2023 14:46

230630-r492faee4v 10

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-01-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trigona.exe
Size

1.1MB
MD5

2c31a750240788f924ef64a2fb4fdf3b
SHA1

c9c6a7f911d16b49d8b838dca3683357b72c9d6d
SHA256

b49bf3a4baf637e067a8db7360051eba39713b7958519b49f8e236b6014c8477
SHA512

1e36c96110b793bfea2e65f6ff4c0e59a0a6b8f86395d7be6497be264954ab9b7c61d0adfa85dcef5ce69afe4b200b3ece82cbf089264f7d648eaaa53acbd50d
SSDEEP

12288:XRYqX7pdDWExBDmkYhiPJSA0IqOO2vBwRns2MqnuY/gtTyb7:hY6frxBDmkY+Jr0Iql2v4sx+uxtTyn

Score

10^/10

trigona persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-2-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-4-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-6-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-7-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-8-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-15-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-44-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-801-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-1380-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-7683-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-9988-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2204-11579-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\001B25EFC4A2115F1D37D22ABFFEB099 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trigona.exe"	Trigona.exe

Drops desktop.ini file(s) 11 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	Trigona.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	Trigona.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	Trigona.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sw.txt	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Africa\Tunis	Trigona.exe
File created	\??\c:\Program Files\Microsoft Games\Hearts\es-ES\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\msaddsr.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Africa\Ceuta	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk	Trigona.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png	Trigona.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\da.txt	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml	Trigona.exe
File created	\??\c:\Program Files\Java\jre7\lib\how_to_decrypt.hta	Trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ckb\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo	Trigona.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	Trigona.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\jsdebuggeride.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\JdbcOdbc.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar	Trigona.exe
File created	\??\c:\Program Files\Java\jre7\lib\zi\Asia\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar	Trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\el\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\Documentation.url	Trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\it\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpEvMsg.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\server\Xusage.txt	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\More Games\MoreGames.dll	Trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\Thunder_Bay	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Asia\Dubai	Trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui	Trigona.exe
File created	\??\c:\Program Files\Windows Defender\en-US\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Windows NT\TableTextService\es-ES\TableTextService.dll.mui	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\MST7MDT	Trigona.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll	Trigona.exe

C:\Users\Admin\AppData\Local\Temp\Trigona.exe
"C:\Users\Admin\AppData\Local\Temp\Trigona.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini

Filesize
2KB

MD5
65414d62fc0e1c3ef1cc16ccea1ef3dc

SHA1
2246f4142ccd47f9bff19fdccad4692a7708d177

SHA256
bd45c6da658d6146d2d7fe974ead43fed3b9672b599a31157f26402d57889457

SHA512
d838cd10ccfb6edcb53810824b807cf7585a955a343af84e0a65a8acdcbf6d0540e2224776adec96081ec2f97a45a71fc0834af07f8fc2d38d8fdfd90840f128

Download Submit
C:\how_to_decrypt.hta

Filesize
11KB

MD5
63356ab5bd66bac03c904dbe80c062f1

SHA1
c980855c992ba713196ab194ec62d7111ad600ea

SHA256
cdb66e3a04779a29444db7f0efde4c5849eec7997a4ecac47ff121dbb4364144

SHA512
bcd21ac60654d188a4baf77e351518328c2352beff7b700f973b6863ecc913a2a203ff51ed9c4fe1afd61e19f82431dd199c2acf536baf29be8225244e6aa089

Download Submit
memory/2204-6-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-7-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-8-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-15-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-2-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-4-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-44-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-801-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-1380-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-7683-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-9988-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2204-11579-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads