trigona | 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2

Analysis

max time kernel
209s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704f1.exe
Size

1.1MB
MD5

67dd0708a2dcbe6b7661fd5eb4593ea7
SHA1

3d496563984c73e129577da8ca87d3e823fdcce4
SHA256

704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2
SHA512

6dc6949196b6aa1e44564c955bf02b45e74247c23408e24fe206087725922dcb5cebb5db58635414313e6c96cfba26758919509ecd0e19832506069236dd9c21
SSDEEP

24576:oYj5E9T+xHeQhNmYOnW8FQrbID+u9v1Qs:Z5E9LQvRrtSvB

Score

10^/10

trigona discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detects Trigona ransomware 20 IoCs

resource	yara_rule
behavioral1/memory/2564-0-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-1-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-3-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-4-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-7-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-778-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-880-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-2494-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-5826-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-9665-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-12645-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-14501-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-16297-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-21125-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-26800-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-27204-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-28700-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-31721-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-34242-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona
behavioral1/memory/2564-34244-0x0000000000400000-0x0000000000523000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	704f1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E1BE975B29FB264111E96E6ECDEDD187 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\704f1.exe"	704f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9608AE291805267DAE9CD6946A0E8831 = "c:\\users\\admin\\appdata\\local\\temp\\how_to_decrypt.hta"	704f1.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	704f1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF	704f1.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	704f1.exe
File created	\??\c:\Program Files (x86)\Internet Explorer\en-US\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\msquic.dll	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.INF	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM	704f1.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\libvlc.dll	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office16\SLERROR.XML	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h.png	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\tt.pak	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\ui-strings.js	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\da.pak.DATA	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\msedgeupdateres_ca-Es-VALENCIA.dll	704f1.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll	704f1.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover.png	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\oneds.dll	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms	704f1.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll	704f1.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Algorithms.dll	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\dot_2x.png	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn	704f1.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\SystemX86\how_to_decrypt.hta	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-libraryloader-l1-1-0.dll	704f1.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\how_to_decrypt.hta	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\how_to_decrypt.hta	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ui-strings.js	704f1.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	704f1.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md	704f1.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\deploy.dll	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20231215112654.pma	704f1.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template	704f1.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\how_to_decrypt.hta	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg	704f1.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js	704f1.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	704f1.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll	704f1.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src	704f1.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms	704f1.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll	704f1.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ga\how_to_decrypt.hta	704f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5B2BEB39-C9D8-11EE-9BE3-5A2E32B6DBC3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0686631e55dda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "800199667"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000056c0f093da428f4099809f3dbcc1bfee000000000200000000001066000000010000200000003b9ffdc69d689c14096ffcf0cc7c97f61de789d84193fd9d838aa0db1025199b000000000e8000000002000020000000268b738d780852c91a1cf0b16f6719586ebaa36f246b4d695f08d09f946581be20000000f4074069725b66d79ba43568662bf48540bdfb42adb4e28df67da40fd028ea6040000000fc35b2208aa86f7ffa4e47aec1ec5ce5a7b8eeecb1a052e604d5dff898c22d7fb057d672701bd8befcc83e92972323b3b5cf8553a63e986ba7c7d64998df73ed	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "800199667"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31088101"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000056c0f093da428f4099809f3dbcc1bfee000000000200000000001066000000010000200000006341ddc793cff2966405e68535b3e8a861236a82aa8722803111569c6f5bc66b000000000e8000000002000020000000079544bb54536edbeb67a7c2f8122250fa8b44b8817b102b203c033277a2fde420000000d7702070a46b953637ab123b951a0db0ff8942383c649660c58907b87462c27f40000000ca8f54732627953b29b6b959f40337586a74085b9a96b724e819b6e0c8be762860e446ef077403115c1dc3d3b09f27ba8a858132b210d04ad8260d1893af296a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5B2BEB3B-C9D8-11EE-9BE3-5A2E32B6DBC3}.dat = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31088101"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70dd2531e55dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	704f1.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
11840	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
11288	OpenWith.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
11624	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
11624	iexplore.exe
11624	iexplore.exe
11792	IEXPLORE.EXE
11792	IEXPLORE.EXE
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11288	OpenWith.exe
11388	WORDPAD.EXE
11388	WORDPAD.EXE
11388	WORDPAD.EXE
11388	WORDPAD.EXE
11388	WORDPAD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 11624 wrote to memory of 11792	11624	iexplore.exe	96
PID 11624 wrote to memory of 11792	11624	iexplore.exe	96
PID 11624 wrote to memory of 11792	11624	iexplore.exe	96
PID 11288 wrote to memory of 11388	11288	OpenWith.exe	98
PID 11288 wrote to memory of 11388	11288	OpenWith.exe	98
PID 2564 wrote to memory of 4088	2564	704f1.exe	101
PID 2564 wrote to memory of 4088	2564	704f1.exe	101
PID 2564 wrote to memory of 4088	2564	704f1.exe	101

C:\Users\Admin\AppData\Local\Temp\704f1.exe
"C:\Users\Admin\AppData\Local\Temp\704f1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:4088

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OptimizeSubmit.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:11840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:11624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11624 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:11792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:11288
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Desktop\RequestExport.rtf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:11388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\how_to_decrypt.hta

Filesize
11KB

MD5
46f6c22847169bbb882715413f9b86ea

SHA1
1d5bb88278856993c2754d4c758a2b359f0e9e07

SHA256
342d890c7e8367aa6d55cd8f2c203b2971e5cf9d598133c59eb79f3fe04117a7

SHA512
cd985c44fd6403176f53e858f96f54aec05f93913d8b4cee38d554247c0fa77fb3ed007b6590d93d665533b7528cfcb2dfc0fed6a0f4e7cd49d360e333aaa7a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5B2BEB3B-C9D8-11EE-9BE3-5A2E32B6DBC3}.dat

Filesize
6KB

MD5
fd14b51530fffcdd945cb7de781ba4a8

SHA1
cc75c22cd2ef9502fe0cece384592b384e17f135

SHA256
76ab4e115e6c3edf757797f38d1644d59df09cc83ffe6d9da0cc02ebe858753a

SHA512
991289844e82abb7c77dbc766d9051a2a51a00f9784430e4995b88e7e370658aab30d2f76cc9d44d762c03262a718082768b0f121a032d37d69d82e107815c83

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BFF9F9CB-9B3E-11EE-9BDC-7E02F21A0140}.dat

Filesize
7KB

MD5
928b7a0aef82c5d2f80a6195e5e62030

SHA1
08000b0d9980e35e5bbee181083059cf2b9cae01

SHA256
87aed9a7cacd23fa7b4eb0a0ae77766f4b4b69d9f927b4c2e9995c9287d06f33

SHA512
1bb7eda67eeff291013fcfcef475e79b929a21b7f72820066d11a6f8c4fbb740ae40baffcc013e4169ab0eb5f012c9317530c7271a23167d8f33a1cf1e420e35

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{5B2BEB3C-C9D8-11EE-9BE3-5A2E32B6DBC3}.dat

Filesize
6KB

MD5
1b605976b81a5e7e3bd2c4b942a873dc

SHA1
fc99d4b0b95fffa6a38eefe88fafc9da7731ec1e

SHA256
b0fe7dfa93ec89a0fcf45cbdb105cc7690c24bf1ffd626a2cfe29f2e2e11a895

SHA512
16002be1653703b5fee31663ba2231ba239cc07bf07a943e89f82b2b46486c88859c1626d94d94c8c01782a8a8e07567d941ad23fbc74799d75b2be2f29918a9

Download Submit
memory/2564-21125-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-28700-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-778-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-880-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-2494-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-5826-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-9665-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-12645-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-14501-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-16297-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-26800-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-27204-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-7-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-4-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-3-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-1-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-31721-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-34242-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-34244-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2564-34245-0x00000000065D0000-0x0000000006BD8000-memory.dmp

Filesize
6.0MB

Download
memory/2564-34247-0x0000000001740000-0x0000000001764000-memory.dmp

Filesize
144KB

Download
memory/2564-34248-0x0000000001810000-0x000000000181F000-memory.dmp

Filesize
60KB

Download
memory/2564-34249-0x0000000001830000-0x00000000018A4000-memory.dmp

Filesize
464KB

Download
memory/2564-34250-0x0000000008BE0000-0x0000000008CA2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads