Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-02-2024 11:17
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20240226-en
General
-
Target
sample.exe
-
Size
1.1MB
-
MD5
a031edc72ddea262780560405c0ea4ae
-
SHA1
7466b3a81dad69b01df5d4b1233734bc0454ced8
-
SHA256
eda603f4d469d017917f5d6affeb992fdf3b7971e49868ece8c38fb8e6f8b444
-
SHA512
608d6f490db60a8a0a9d25b5920bc1ced718a2de31a2293e799c79b15850e4a325f8dcdf004f95f09dad0093722d51cd83ee7bc33553a82a0cb87aff0004323f
-
SSDEEP
24576:xY6frxBDmkY+Jr0Iql2v4sx+uxtTy1eFR:LKuTvBwSd7R
Malware Config
Signatures
-
Detects Trigona ransomware 13 IoCs
resource yara_rule behavioral1/memory/2896-0-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-1-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-3-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-5-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-12-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-730-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-1233-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-7134-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-9881-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-11670-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-11755-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-11892-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2896-13309-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\AF72AA6B92B9084985D3EAD9AB43B04C = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe" sample.exe -
Drops desktop.ini file(s) 13 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini sample.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\desktop.ini sample.exe File opened for modification \??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini sample.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini sample.exe File opened for modification \??\c:\Program Files\Microsoft Games\Chess\desktop.ini sample.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini sample.exe File opened for modification \??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini sample.exe File opened for modification \??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini sample.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini sample.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini sample.exe File opened for modification \??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini sample.exe File opened for modification \??\c:\Program Files\desktop.ini sample.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF sample.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.ELM sample.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Europe\Prague sample.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml sample.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF sample.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\America\Sitka sample.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Europe\London sample.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\browser\features\[email protected] sample.exe File created \??\c:\Program Files (x86)\Common Files\System\ja-JP\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01178_.WMF sample.exe File opened for modification \??\c:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui sample.exe File created \??\c:\Program Files\Reference Assemblies\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\VideoLAN\VLC\lua\meta\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sr.dll sample.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi sample.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat sample.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti sample.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties sample.exe File created \??\c:\Program Files (x86)\Common Files\System\msadc\fr-FR\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF sample.exe File created \??\c:\Program Files\VideoLAN\VLC\lua\modules\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF sample.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png sample.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF sample.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui sample.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe sample.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt sample.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar sample.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Indian\Chagos sample.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac sample.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04225_.WMF sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP sample.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml sample.exe File opened for modification \??\c:\Program Files\Common Files\System\es-ES\wab32res.dll.mui sample.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye sample.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll sample.exe File created \??\c:\Program Files\Microsoft Games\Minesweeper\fr-FR\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini sample.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar sample.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png sample.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdaorar.dll.mui sample.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json sample.exe File created \??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api sample.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png sample.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml sample.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\deploy\messages_ko.properties sample.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\GMT sample.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png sample.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat sample.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png sample.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png sample.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF sample.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml sample.exe File opened for modification \??\c:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui sample.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e247613abae26f3dbe33ed3e7c3eed25
SHA16ab72d44e90f74dbfc6a638ac554b6ef73092879
SHA256e8a1645ad6bea1e4879cef80ddb6613b3f20573628525b9875d4f7ed59fb1769
SHA5122e66481a12849d2c471bc10bb5e192b054bb9ebae33c469b4ece701d7ed4ead95f61d8e0fb2d8a4dc8154fa4fdb9cb9a335d0846f53137248f35c51f482a73c6
-
Filesize
11KB
MD53d64ba5c5bd122fcc61765310ddb8a4d
SHA160f10b555acd69bb6a161b63a9e8f0d9724e1b9b
SHA256b7a0cd566a226bde66283549746e3aea6c8fa6103220e8c9068e9e822d2333fd
SHA5122b1d3d674a9801e36fac3f64b14d4ddfce10002dece23bdd9ff8352a6d338311dbd0bc494c0ec70e71030f2ff199ca0d5adf689e17b80321a35c4953dcfb8ec7