trigona | 6536e3bb233f6543926b15c4872b269ae4756d1bf8475e66272e296242c3b86d

General

Target

sample.exe
Size

1.1MB
MD5

27175ea8cbe46ff37de5f88c3bb914af
SHA1

5132fd07a623dfeffbb7448531e2ba8baa91b144
SHA256

f29b948905449f330d2e5070d767d0dac4837d0b566eee28282dc78749083684
SHA512

9902c6c6ddf50848f27cb9aae23a53ae976bf4959fe48eab8ef099dc03cad56310ce031e74ea53017ce01fa456b030b214f0760576821a4e1efe20b6e854970f
SSDEEP

24576:n5shvRvrJpGinVvvr9snyoYo+uk8jfLRmb:kZGG6nILifLR+

Score

10^/10

trigona discovery persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3872-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-3-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-5-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-12-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-656-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-3333-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-11746-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-17240-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-19292-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-19293-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-19294-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3872-19295-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\91C80CAA6FB0588693E944861C0B24B1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe"	sample.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 4 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd	sample.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.DLL	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\System.Spatial.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Controls.Ribbon.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\host\fxr\6.0.25\hostfxr.dll	sample.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\lib\ir.idl	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.NETCore.App.deps.json	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-black.png	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-72_altform-unplated_contrast-black.png	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-100.png	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms	sample.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\it-IT\WMPMediaSharing.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_contrast-white.png	sample.exe
File created	\??\c:\Program Files\Common Files\System\ado\ja-JP\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Core.winmd	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xsl	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Base.dll	sample.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-150.png	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-125.png	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\OSFUI.DLL	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\ucrtbase.dll	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\brx\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\Microsoft.VisualBasic.Forms.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\include\jawt.h	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125_contrast-black.png	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.Xml.dll	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-150.png	sample.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML	sample.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-200.png	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSI.TTF	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini

Filesize
2KB

MD5
67a0ffdab9da8ee922a348a87c6cc0ad

SHA1
954887fbea62b493457316b518b3d022a37330de

SHA256
ca3b74634cf6c58c139636af3f0225c69caa41f0ba055ff99a46e645f3d86640

SHA512
7ecdddfbe2d3eed6598c85ee88b177a64ab6bd5a7adb8440c3bb783333b290d3c6f028c230a3f1aee04d5e0f76fcfc9d7da6aed024ffc85c87191538ee43c253

Download Submit
C:\how_to_decrypt.hta

Filesize
12KB

MD5
0ce92c9694815374537c4eac60461370

SHA1
e18c4ab182b33a86ddc36daa980189e923d33f3c

SHA256
0ef9acacbed385f54a99773c345e3298c1676c6912e3bc50c54ff3e990329444

SHA512
cb753e54b358e93cb41d6921647680df9c296bac369c9796d127089f3a09accf898a33d1e27b637c9101313f468575b54c82c47370f0373f56dbe871d6770d18

Download Submit
memory/3872-5-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-3-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-656-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-3333-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-11746-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-17240-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-19292-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-19293-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-19294-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3872-19295-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads