Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 14:53
Behavioral task
behavioral1
Sample
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
Resource
win10-20231215-en
windows10-1703-x64
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral4
Sample
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
Resource
win11-20231215-en
windows11-21h2-x64
7 signatures
150 seconds
General
-
Target
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
-
Size
1.1MB
-
MD5
eb9fdc083164c0cead39fecaad9aafb4
-
SHA1
19c8782165f56d4153658da5f88f9edd14ae2022
-
SHA256
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376
-
SHA512
c4c54de23730f5265d29372c21f4f2212a0204f9b83d7fba5dacb0578fbe9f1c95e7521ff892364253f0cd8f4cfbf5befbef387af942714eb4b1b983b0258603
-
SSDEEP
24576:2Y5sZYIcpO4Y4w+xEjN7oQr+O+uvjx8t2mEdp:/Y4470JYj+kmEf
Score
10/10
Malware Config
Signatures
-
Detects Trigona ransomware 13 IoCs
resource yara_rule behavioral1/memory/1568-0-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-1-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-2-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-8-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-2259-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-2263-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-2905-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-6044-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-13101-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-13102-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-13103-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-15186-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1568-29215-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\B1D8E09391D50FB26010092B049EBC5F = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe" 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe -
Drops desktop.ini file(s) 14 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Games\Chess\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusDoNotDisturb.ico 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxalert.ico 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Microsoft Visual Studio 8\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.DPV 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149627.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01060_.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187839.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Europe\Athens 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.LTS 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\cy\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\CONVERT\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\msadc\msdfmap.dll 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\TWCUTLIN.DLL 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File created \??\c:\Program Files\Microsoft Games\Purble Place\it-IT\how_to_decrypt.hta 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\StopEnable.contact 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html 8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe"C:\Users\Admin\AppData\Local\Temp\8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD529022f6e6a591304afd651ae88417f28
SHA17c808b8ed9285a97e61089684ed3ce5e239a1727
SHA25621c23bb626c850797c9cf2e50e750b9afa0a8fc5c4d9816c14b3bb12c9037dca
SHA51266eee2fc6cc26ea7c2beba9c6665251b1ab1accc14816b9053fd5360c822721b7312b36b8967f7b17510edb1556cbc5b4bd4b728826f87c9ca70728c1ad58dcf
-
Filesize
12KB
MD52be53533ab4ffc0a40a3b2bc63fc6da4
SHA18f9cd6c7bcd4afdc472dfbcb1e825dcd7d489994
SHA25662b54a87926c5610c7133b6ec0ef11c159f0d07f4db4e889ee946d8048a34ddd
SHA512f9f8e3d8f8bf3a37f11b5f5c4360f0e2b5564302f1bcc8d8ed1cb567950ce3f732d66c3cab25e6be0471b872b022fb59ea1727375d3dfa261a06f0808b3dd13f