trigona | 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2

Resubmissions

21-01-2024 14:54

240121-r9z4esdeaj 10

03-02-2023 07:15

230203-h3h2wscd88 10

Analysis

max time kernel
154s
max time network
169s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
21-01-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
Size

1.1MB
MD5

67dd0708a2dcbe6b7661fd5eb4593ea7
SHA1

3d496563984c73e129577da8ca87d3e823fdcce4
SHA256

704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2
SHA512

6dc6949196b6aa1e44564c955bf02b45e74247c23408e24fe206087725922dcb5cebb5db58635414313e6c96cfba26758919509ecd0e19832506069236dd9c21
SSDEEP

24576:oYj5E9T+xHeQhNmYOnW8FQrbID+u9v1Qs:Z5E9LQvRrtSvB

Score

10^/10

trigona persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

resource	yara_rule
behavioral4/memory/2456-0-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-1-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-2-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-4-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-6-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-764-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-807-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-2999-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-6086-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-7641-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-9902-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-11600-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-13299-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral4/memory/2456-15377-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Run\CFF703634299035FA92201B439DA73CD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe"	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\concrt140.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Base.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.cfg	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\nn.txt	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\it.txt	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SETLANG.16.1033.hxn	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.INF	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Java\jre-1.8\lib\security\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\mscordaccore_amd64_amd64_8.0.23.53103.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vreg\office32ww.msi.16.x-none.vreg.dat	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.RegularExpressions.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Emit.ILGeneration.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\OFFICE16\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
File created	\??\c:\Program Files\Java\jdk-1.8\jre\lib\cmm\how_to_decrypt.hta	704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe

C:\Users\Admin\AppData\Local\Temp\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe
"C:\Users\Admin\AppData\Local\Temp\704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\how_to_decrypt.hta

Filesize
11KB

MD5
44b05dffb3a7a7824a5672b4f2462dd7

SHA1
74a7c83d6fd385be4cc5c589babb67e54d937c86

SHA256
d487449fd744a4ae575d4f0d1da1bc5957fb5f1dfbb17cc9676d45e57e3fbf00

SHA512
c4093d4ffa7a0e42119f1e60ed996e2eff6df610496e94cc7e24465f9a9f59974b5a7c778f3d9215a1c30a2d50ca98aa6cceab30373c3b3b370bbe945fff65c1

Download Submit
memory/2456-764-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-2999-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-4-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-6-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-1-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-807-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-2-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-6086-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-7641-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-9902-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-11600-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-13299-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2456-15377-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads