trigona | b49bf3a4baf637e067a8db7360051eba39713b7958519b49f8e236b6014c8477 | Triage

Resubmissions

21-01-2024 14:53

240121-r9a5asead2 10

30-06-2023 14:46

230630-r492faee4v 10

Analysis

max time kernel
131s
max time network
154s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
21-01-2024 14:53

Sharing

Report Analysis Logs

General

Target

Trigona.exe
Size

1.1MB
MD5

2c31a750240788f924ef64a2fb4fdf3b
SHA1

c9c6a7f911d16b49d8b838dca3683357b72c9d6d
SHA256

b49bf3a4baf637e067a8db7360051eba39713b7958519b49f8e236b6014c8477
SHA512

1e36c96110b793bfea2e65f6ff4c0e59a0a6b8f86395d7be6497be264954ab9b7c61d0adfa85dcef5ce69afe4b200b3ece82cbf089264f7d648eaaa53acbd50d
SSDEEP

12288:XRYqX7pdDWExBDmkYhiPJSA0IqOO2vBwRns2MqnuY/gtTyb7:hY6frxBDmkY+Jr0Iql2v4sx+uxtTyn

Score

10^/10

trigona discovery persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3572-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-2-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-4-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-13-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-764-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-7423-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-14256-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-16342-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-16343-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-16344-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3572-16345-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

Trigona.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Windows\CurrentVersion\Run\47DDF3ACFE254AC8B7872F4D56C3B964 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trigona.exe"	Trigona.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 5 IoCs

Processes:

Trigona.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-655921741-723621465-1580683668-1000\desktop.ini	Trigona.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-655921741-723621465-1580683668-1000\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\desktop.ini	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Trigona.exe

Drops file in Program Files directory 64 IoCs

Processes:

Trigona.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\install.log	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	Trigona.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\jfxswt.jar	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.INF	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\release	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\browser\features\[email protected]	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-125.png	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	Trigona.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-32_altform-unplated.png	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\canvas.jpg	Trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\XLCALL32.DLL	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.XlsIO.Base.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Windows Defender Advanced Threat Protection\it-IT\MsSense.exe.mui	Trigona.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square44x44Logo.targetsize-16.png	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Client\C2R32.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll	Trigona.exe
File created	\??\c:\Program Files\Windows NT\Accessories\ja-JP\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll	Trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\how_to_decrypt.hta	Trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	Trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms	Trigona.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\es-ES\wmpnscfg.exe.mui	Trigona.exe

C:\Users\Admin\AppData\Local\Temp\Trigona.exe
"C:\Users\Admin\AppData\Local\Temp\Trigona.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-655921741-723621465-1580683668-1000\desktop.ini
Filesize
2KB

MD5
fe2c3dc55bdc03bf2c60a8e905a824a7

SHA1
2809601d642c756f6bc9b9d55996b68fc98ac154

SHA256
267a80d1657b64b2b31b08f2a78ae110931205bd59d8604d56e861955a5e60bc

SHA512
c56d180e53c0480d1e723191fa83c35fe354ce56d69d321da83f003323d7f5ef3f9dc55f42aeaf8f0a7f4647399dbaa44423c6ebd8c83b440eb33c8d612dfaee

Download Submit
C:\how_to_decrypt.hta
Filesize
11KB

MD5
b43f9ac06bb47d691a1e58e2b3c28f03

SHA1
fd4cd5dd3797d1a93d50505fe69305c9e482f796

SHA256
e7c3d0e25ac0401a0604b31c4ae98ca627077333868a87546aafc282281b9f16

SHA512
df6afdfff57c37496012a515c0579e6e1e7b0a21805caf603358826b16a2089665c16ad54dbf740a90eac8e05aed88f4840aa50b7498c6c9516ae7a649d1b1a4

Download Submit
memory/3572-4-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-13-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-2-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-764-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-7423-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-14256-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-16342-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-16343-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-16344-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3572-16345-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download