trigona | 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2

Resubmissions

21-01-2024 14:54

240121-r9z4esdeaj 10

03-02-2023 07:15

230203-h3h2wscd88 10

Analysis

max time kernel
150s
max time network
160s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
21-01-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Size

1.1MB
MD5

67dd0708a2dcbe6b7661fd5eb4593ea7
SHA1

3d496563984c73e129577da8ca87d3e823fdcce4
SHA256

704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2
SHA512

6dc6949196b6aa1e44564c955bf02b45e74247c23408e24fe206087725922dcb5cebb5db58635414313e6c96cfba26758919509ecd0e19832506069236dd9c21
SSDEEP

24576:oYj5E9T+xHeQhNmYOnW8FQrbID+u9v1Qs:Z5E9LQvRrtSvB

Score

10^/10

trigona discovery persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 13 IoCs

resource	yara_rule
behavioral2/memory/2296-0-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-1-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-3-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-4-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-789-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-831-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-1344-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-3564-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-8001-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-8044-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-10257-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-12227-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral2/memory/2296-14368-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\627EE33EA7C6E1BC5D1E5A2184CE30AC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe"	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\th-TH\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Internet Explorer\fr-FR\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\System\de-DE\wab32res.dll.mui	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\strings.resjson	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIF	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.INF	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Internet Explorer\images\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\pack200.exe	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\idlj.exe	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\Services\verisign.bmp	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\VideoLAN\VLC\plugins\logger\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\my\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe

C:\Users\Admin\AppData\Local\Temp\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
"C:\Users\Admin\AppData\Local\Temp\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\how_to_decrypt.hta

Filesize
11KB

MD5
f8c6f2ad777d14f1df4759b06b4de730

SHA1
59f06ed52b900592cdfb771542dc0c5fc0dd1c95

SHA256
82a62c854b1cd5c21b4eed3b31de10509fc07b47d931b121aeaa3cf48529962e

SHA512
0b1ced03c04575ecf59a3088834bfced03631e9ef40054a5e482194baad537dca5f85f145aef012e8c7619974de423c7dd38c36f8bfca41e0308d51531e86016

Download Submit
memory/2296-831-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-3-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-4-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-1-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-789-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-1344-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-3564-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-8001-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-8044-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-10257-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-12227-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2296-14368-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads