trigona | 921953c7c080fbf1d4da4f0966a755e81228d2e0ccb127f206b176f6c3434f70

General

Target

sample.exe
Size

1.1MB
MD5

cd215489a03871eaac431180546f162e
SHA1

acb517dc5ec2376176cc3116bebfdf71d314663b
SHA256

761b78ddab55b4e561607ce5ce9d424a7aec4f1994aad988f0612b096cdd1d6d
SHA512

124821f7d1860a513bc3c51a8f11bc0134877930f5bc46c4675a7d407b8523ae5c4cb596cf6c72ace9dd50245910c71eda216b1169a53e458e8e8bd378059892
SSDEEP

12288:HRYqX7pdDWExBDmkYhiPJSA0IqOO2vBwRns2MqnuY/gtTy7FXu9:xY6frxBDmkY+Jr0Iql2v4sx+uxtTyp+9

Score

10^/10

trigona persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2884-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-3-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-5-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-12-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-662-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-709-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-713-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-721-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-837-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-3177-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-7421-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2884-10685-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\538E711198727144BBAEB47AD373D32B = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe"	sample.exe

Drops desktop.ini file(s) 11 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\desktop.ini	sample.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\id\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Asia\Yerevan	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\ucrtbase.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	sample.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	sample.exe
File created	\??\c:\Program Files\Java\jre7\lib\zi\America\Indiana\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files\Java\jre7\lib\zi\Atlantic\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar	sample.exe
File opened for modification	\??\c:\Program Files\Windows Mail\es-ES\WinMail.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ku.txt	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\Welcome.html	sample.exe
File opened for modification	\??\c:\Program Files\Windows NT\Accessories\wordpad.exe	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Asia\Riyadh	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar	sample.exe
File created	\??\c:\Program Files\Java\jre7\lib\applet\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\jfr.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Antarctica\Syowa	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini

Filesize
2KB

MD5
672ae8669e8852e1c6f0c8dad433171f

SHA1
995aaa356d3af5896561d9692dc2cf49e43c06fa

SHA256
d38145f4a5c59bdb2aedb32fd4555f630992277bfba962ea2b23245e7bd27f20

SHA512
85bac2726386098fea95994e0e18b931419055af251cae81bac49ec6ab632e1146672a1373535a17cb10b3a1f0ca38829f56e14a0a486bb9edb4837455146b91

Download Submit
C:\how_to_decrypt.hta

Filesize
11KB

MD5
9adf3ff8cbd58d35ee3a7f1118179fc2

SHA1
9ebec6495c42bff3269a104b8723f494b9c1a77d

SHA256
8431ccdf9366e13af6bd08d35cc5e54b1a66b2a433fb808951278781058d68a4

SHA512
031c00a24a7893c8111727e416ef34a2ff5d3a2b4c7600d3bf49784720c6eb4dfbbb110823e6c156a2faf2589c797f91d6348729ed27eb1f1edf26b16f128cf5

Download Submit
memory/2884-5-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-3-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-662-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-709-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-713-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-721-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-837-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-3177-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-7421-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2884-10685-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads