trigona | b8ef280c81326bb7f9410c8e62ed654ff85d5da57c5b2fc35dab166059befe55

General

Target

sample.exe
Size

1.1MB
MD5

a031edc72ddea262780560405c0ea4ae
SHA1

7466b3a81dad69b01df5d4b1233734bc0454ced8
SHA256

eda603f4d469d017917f5d6affeb992fdf3b7971e49868ece8c38fb8e6f8b444
SHA512

608d6f490db60a8a0a9d25b5920bc1ced718a2de31a2293e799c79b15850e4a325f8dcdf004f95f09dad0093722d51cd83ee7bc33553a82a0cb87aff0004323f
SSDEEP

24576:xY6frxBDmkY+Jr0Iql2v4sx+uxtTy1eFR:LKuTvBwSd7R

Score

10^/10

trigona persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-3-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-5-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-12-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-730-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-1233-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-7134-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-9881-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-11670-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-11755-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-11892-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2896-13309-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\AF72AA6B92B9084985D3EAD9AB43B04C = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe"	sample.exe

Drops desktop.ini file(s) 13 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.ELM	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Europe\Prague	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\Sitka	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Europe\London	sample.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\browser\features\[email protected]	sample.exe
File created	\??\c:\Program Files (x86)\Common Files\System\ja-JP\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01178_.WMF	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui	sample.exe
File created	\??\c:\Program Files\Reference Assemblies\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\lua\meta\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sr.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti	sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties	sample.exe
File created	\??\c:\Program Files (x86)\Common Files\System\msadc\fr-FR\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\lua\modules\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	sample.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Indian\Chagos	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac	sample.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04225_.WMF	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	sample.exe
File created	\??\c:\Program Files\Microsoft Games\Minesweeper\fr-FR\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdaorar.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json	sample.exe
File created	\??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\deploy\messages_ko.properties	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\GMT	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	sample.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml	sample.exe
File opened for modification	\??\c:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini
Filesize
2KB

MD5
e247613abae26f3dbe33ed3e7c3eed25

SHA1
6ab72d44e90f74dbfc6a638ac554b6ef73092879

SHA256
e8a1645ad6bea1e4879cef80ddb6613b3f20573628525b9875d4f7ed59fb1769

SHA512
2e66481a12849d2c471bc10bb5e192b054bb9ebae33c469b4ece701d7ed4ead95f61d8e0fb2d8a4dc8154fa4fdb9cb9a335d0846f53137248f35c51f482a73c6

Download Submit
C:\how_to_decrypt.hta
Filesize
11KB

MD5
3d64ba5c5bd122fcc61765310ddb8a4d

SHA1
60f10b555acd69bb6a161b63a9e8f0d9724e1b9b

SHA256
b7a0cd566a226bde66283549746e3aea6c8fa6103220e8c9068e9e822d2333fd

SHA512
2b1d3d674a9801e36fac3f64b14d4ddfce10002dece23bdd9ff8352a6d338311dbd0bc494c0ec70e71030f2ff199ca0d5adf689e17b80321a35c4953dcfb8ec7

Download Submit
memory/2896-5-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-3-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-730-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-1233-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-7134-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-9881-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-11670-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-11755-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-11892-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2896-13309-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads