Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 11:17
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
sample.exe
-
Size
1.1MB
-
MD5
a031edc72ddea262780560405c0ea4ae
-
SHA1
7466b3a81dad69b01df5d4b1233734bc0454ced8
-
SHA256
eda603f4d469d017917f5d6affeb992fdf3b7971e49868ece8c38fb8e6f8b444
-
SHA512
608d6f490db60a8a0a9d25b5920bc1ced718a2de31a2293e799c79b15850e4a325f8dcdf004f95f09dad0093722d51cd83ee7bc33553a82a0cb87aff0004323f
-
SSDEEP
24576:xY6frxBDmkY+Jr0Iql2v4sx+uxtTy1eFR:LKuTvBwSd7R
Score
10/10
Malware Config
Signatures
-
Detects Trigona ransomware 13 IoCs
resource yara_rule behavioral2/memory/464-0-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-1-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-2-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-4-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-6-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-13-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-789-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-9197-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-16877-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-19301-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-19302-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-19303-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-19304-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7DA87F2358F636B2BA93B3BF3CE9B0BC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe" sample.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini sample.exe File opened for modification \??\c:\Program Files\desktop.ini sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI sample.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-lightunplated.png sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\WindowsBase.resources.dll sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat sample.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL sample.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\jp2iexp.dll sample.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.scale-125_contrast-white.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-400.png sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK sample.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll sample.exe File opened for modification \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\WelcomeDialogContent.json sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l1-1-0.dll sample.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-100.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_contrast-white.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_contrast-white.png sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll sample.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac sample.exe File opened for modification \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100_contrast-black.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\clrcompression.dll sample.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\ky.txt sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms sample.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-125.png sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms sample.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg sample.exe File opened for modification \??\c:\Program Files\RepairOptimize.lnk sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE sample.exe File created \??\c:\Program Files\dotnet\host\fxr\6.0.25\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms sample.exe File created \??\c:\Program Files\VideoLAN\VLC\plugins\text_renderer\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-100.png sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML sample.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53f998866788156b1d388b704ca6ad0a3
SHA10b0642863652d38873dda6fd92e0dd826d2110e8
SHA2569c1e94dd46dae742d8d4508d12a5c88f2948c4b02ebf942857a57e89bee56dad
SHA51263c659fcadb4da16d30994f602220870ac79d3852973c3e794b8e9824bbdecbfe46508758b0ce9a5ced891ca309d61c4bd4f50f817d573fc16bbae4d278bba2b
-
Filesize
11KB
MD5e2817c5b88f880aca976bd0cf37f1644
SHA19ca2a1b92b340c05609af91399caed47e04eae99
SHA256030ec1b8e290dfb7c13dd8d3027bbe32b7edc4c2c00b67f5cf7bfe959f546052
SHA512b7e43d4e7b8b077a8eba745b1870fa9db31e3ea054a8844fcefb80cdd8f43312e1c44143408ad44aa28aa49ede11e09e8c80399707e937497697d66d11947e79