Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 14:54
Behavioral task
behavioral1
Sample
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Resource
win11-20231215-en
General
-
Target
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
-
Size
1.1MB
-
MD5
67dd0708a2dcbe6b7661fd5eb4593ea7
-
SHA1
3d496563984c73e129577da8ca87d3e823fdcce4
-
SHA256
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2
-
SHA512
6dc6949196b6aa1e44564c955bf02b45e74247c23408e24fe206087725922dcb5cebb5db58635414313e6c96cfba26758919509ecd0e19832506069236dd9c21
-
SSDEEP
24576:oYj5E9T+xHeQhNmYOnW8FQrbID+u9v1Qs:Z5E9LQvRrtSvB
Malware Config
Signatures
-
Detects Trigona ransomware 15 IoCs
resource yara_rule behavioral1/memory/1540-0-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-1-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-2-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-4-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-5-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-8-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-715-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-857-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-901-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-8778-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-12493-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-13844-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-26595-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-30004-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona behavioral1/memory/1540-30006-0x0000000000400000-0x0000000000523000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\231508718B70A9723FEAA4865E6B6B79 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe" 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\491B2F9B9F83C83C4E969C156B74586A = "c:\\users\\admin\\appdata\\local\\temp\\how_to_decrypt.hta" 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAProjectUI.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Internet Explorer\en-US\DiagnosticsTap.dll.mui 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\PREVIEW.GIF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBBA\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\PHONE.XML 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\msadc\msdaprsr.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files (x86)\Common Files\System\msadc\ja-JP\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files\Java\jre7\bin\plugin2\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCARDHM.POC 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33F.GIF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR98.POC 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292270.WMF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\PublicFunctions.js 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipBand.dll.mui 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318804.WMF 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\BCSAutogen.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\how_to_decrypt.hta 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcfr.dll.mui 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECL.ICO 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Asia\Omsk 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1540 wrote to memory of 8360 1540 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe 31 PID 1540 wrote to memory of 8360 1540 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe 31 PID 1540 wrote to memory of 8360 1540 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe 31 PID 1540 wrote to memory of 8360 1540 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe"C:\Users\Admin\AppData\Local\Temp\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta"2⤵
- Modifies Internet Explorer settings
PID:8360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5b7601d98b2064032a19a9d215909b1c7
SHA1ff9e5837463249485040fa7f23c2d11c9040caf5
SHA256a1e8453f8c19bff1cef56d62733004c7c69bcecc34e1f2bf5e6e20c0cd58d2e5
SHA5124d2d2c82af887a3df20a8c91d0dc50133357eea735ba5902459998c6adef6b19a71053aae465b8f5a3363ce4e16f1f9eaa9aeb3cadbd7d92e2f2bb7362e945ee