trigona | 921953c7c080fbf1d4da4f0966a755e81228d2e0ccb127f206b176f6c3434f70

General

Target

sample.exe
Size

1.1MB
MD5

cd215489a03871eaac431180546f162e
SHA1

acb517dc5ec2376176cc3116bebfdf71d314663b
SHA256

761b78ddab55b4e561607ce5ce9d424a7aec4f1994aad988f0612b096cdd1d6d
SHA512

124821f7d1860a513bc3c51a8f11bc0134877930f5bc46c4675a7d407b8523ae5c4cb596cf6c72ace9dd50245910c71eda216b1169a53e458e8e8bd378059892
SSDEEP

12288:HRYqX7pdDWExBDmkYhiPJSA0IqOO2vBwRns2MqnuY/gtTy7FXu9:xY6frxBDmkY+Jr0Iql2v4sx+uxtTyp+9

Score

10^/10

trigona persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3448-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-2-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-3-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-4-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-6-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-8-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-9-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-16-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-17-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-677-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-1137-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-1784-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/3448-3390-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0D71639DFEFF94DC69679455E82B4A70 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe"	sample.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\vcruntime140_cor3.dll	sample.exe
File created	\??\c:\Program Files\7-Zip\Lang\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-2-0.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.Encoding.CodePages.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsBase.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\Microsoft.VisualBasic.Forms.resources.dll	sample.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\coreclr.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Xaml.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak	sample.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\ExpandInstall.wps	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.Specialized.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\ReachFramework.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\msdasql.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.InteropServices.RuntimeInformation.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.DirectoryServices.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\UIAutomationTypes.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-multibyte-l1-1-0.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationNative_cor3.dll	sample.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\PresentationUI.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.Win32.Registry.dll	sample.exe
File created	\??\c:\Program Files\Internet Explorer\en-US\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\wab32.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.Extensions.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.Primitives.resources.dll	sample.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Aero.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\glass.dll	sample.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mr.txt	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Linq.Parallel.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\System.Xaml.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\oledb32.dll	sample.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ServiceModel.Web.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\include\jvmti.h	sample.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\PresentationFramework.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-namedpipe-l1-1-0.dll	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Input.Manipulations.resources.dll	sample.exe
File created	\??\c:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\en.ttt	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Xml.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini

Filesize
2KB

MD5
d3dc4b0e08c11b135fc4b7e28b513178

SHA1
2863657c6589dfb6490310aef9781a402ac6ae9e

SHA256
ec13270cd3746e4ed72707c1574e6d04d3e783ac3b4791fd4bc81747f9c4dd8f

SHA512
f0597233bf4c9ae6eddbfe4b97442a61d2b5cd682754fdaeeb90f2b5d645cae71ee521dbaabbcd165bab711ec9356a53cffd9a85a45ab8561382c024a237a90d

Download Submit
C:\how_to_decrypt.hta

Filesize
11KB

MD5
98aedd2a9268be83c314181867ddb8ec

SHA1
09d82cbbd0686dc6bf3536175b9ce43107aee649

SHA256
b1a07cb10b20beb495886dc046e8a039ff715c23bec0e2e9efab29549eef6f6e

SHA512
3339b328fd66476888d41a057d9476371a8516997c54b87517d237afb45d2355f3010f2137e992f2734de1f790d571fba564ea7c7635cdbcf312df62330a4994

Download Submit
memory/3448-16-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-17-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-4-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-6-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-8-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-9-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-3-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-2-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-677-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-1137-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-1784-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3448-3390-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads