trigona | 6536e3bb233f6543926b15c4872b269ae4756d1bf8475e66272e296242c3b86d

General

Target

sample.exe
Size

1.1MB
MD5

27175ea8cbe46ff37de5f88c3bb914af
SHA1

5132fd07a623dfeffbb7448531e2ba8baa91b144
SHA256

f29b948905449f330d2e5070d767d0dac4837d0b566eee28282dc78749083684
SHA512

9902c6c6ddf50848f27cb9aae23a53ae976bf4959fe48eab8ef099dc03cad56310ce031e74ea53017ce01fa456b030b214f0760576821a4e1efe20b6e854970f
SSDEEP

24576:n5shvRvrJpGinVvvr9snyoYo+uk8jfLRmb:kZGG6nILifLR+

Score

10^/10

trigona persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2956-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-3-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-5-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-12-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-739-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-1221-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-8765-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-9059-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-10566-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-11667-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2956-11668-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\3D56637AB788743AC9B9E58F9634D15C = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe"	sample.exe

Drops desktop.ini file(s) 11 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui	sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	sample.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo	sample.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\sunec.dll	sample.exe
File created	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll	sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml	sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll	sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml	sample.exe
File opened for modification	\??\c:\Program Files\Windows NT\Accessories\it-IT\wordpad.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\audiodepthconverter.ax	sample.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis	sample.exe
File created	\??\c:\Program Files\Microsoft Games\Purble Place\en-US\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCommu.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui	sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\it-IT\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Europe\Belgrade	sample.exe
File created	\??\c:\Program Files\Microsoft Games\Chess\en-US\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Europe\Paris	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\La_Paz	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office14\ONFILTER.DLL	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	sample.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Africa\Windhoek	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmono_plugin.dll	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini
Filesize
2KB

MD5
8e67fa7d6f53e8366fb0ef872888958f

SHA1
e00359293328848ace7a8ba55dfc17ec1dcea97d

SHA256
ed9e02e9ff6e0655fd1259d49cde45b2a7328f4dd45d3147c52a2cfed29894dc

SHA512
db631405af03f506ea2eea7095c0d30a4b5ba1593b40ff6c31513947d7d19a98d55b230dc1e36183374bed8e0d7e6bcbc885720f274933b81f9dec8de1ecd03b

Download Submit
C:\how_to_decrypt.hta
Filesize
12KB

MD5
21012c3c558cf185219f0ec15c770a44

SHA1
802f4c8789513c862f83465ee2f6b4e7f68a59bf

SHA256
0198c292ecec40e5923e8b76696fa84a50a3e54dadef9bd17e7556bccaec594f

SHA512
14bc87199a518ad647a3f432873b16c3755aedc1ff53ee6cb1a3af3c6dd9a0afff1fb305428b6e2a6390b62c88e502650263d6aeefdf4182e808c8d5e9132b0d

Download Submit
memory/2956-5-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-3-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-739-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-1221-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-8765-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-9059-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-10566-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-11667-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2956-11668-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads