trigona | 37daa45c67b275cd454dc6f5b45a168d0054bb904ba97e26f27bbe377c2a8c6b

General

Target

sample.exe
Size

1.1MB
MD5

530967fb3b7d9427552e4ac181a37b9a
SHA1

41bcf469661ab9609a0d181953c2f8ffb75bb483
SHA256

fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b
SHA512

b81a447a994839a6858bab10eaa2c26aabaf3f73e7ffd2c70d27dfde5f11b35f5d153362277c046d47bcf9dc2d2b7c92d5805e89e633f9326306071abb213afa
SSDEEP

24576:15swNmjEoujhn3wVPWJFwEQWV+u7h62TL:HouNVOEbcah6qL

Score

10^/10

trigona persistence ransomware spyware stealer

Malware Config

Signatures

Detects Trigona ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-2-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-4-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-9-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-1836-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-2233-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-2237-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-2837-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-2922-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-6109-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-9823-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral1/memory/2656-11412-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\F37B5BF5721B0E46EC9041A95E163ABF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe"	sample.exe

Drops desktop.ini file(s) 11 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	sample.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\adcvbs.inc	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml	sample.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui	sample.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll	sample.exe
File created	\??\c:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Windows Journal\MSPVWCTL.DLL	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\en-US\mpvis.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files (x86)\Common Files\System\ado\de-DE\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Etc\GMT+12	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll	sample.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\shvlzm.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	sample.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\softokn3.dll	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\npvlc.dll	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	sample.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\gstreamer-lite.dll	sample.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll	sample.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\es-ES\wmpnscfg.exe.mui	sample.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll	sample.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui	sample.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	sample.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\lij.txt	sample.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Europe\Istanbul	sample.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\how_to_decrypt.hta	sample.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\how_to_decrypt.hta	sample.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini
Filesize
2KB

MD5
964ce811b570dea40b5acb8a9f2338a1

SHA1
317a22a559f5a7aec4f9ca13ed8e8d32fac5dc82

SHA256
fc8bd7dafce27cba65a8de1572d79088699f1867337e34ead2ccb5c88b7483c5

SHA512
dc0e672980b6b919efaab759deff229a2ebbc365f64d2ebc2db95fde61d432c135eee137ec0757ef0e64fb699ba3f082ca52fed13ea0747746f046f58c1968d0

Download Submit
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\how_to_decrypt.hta
Filesize
11KB

MD5
b71cfc16db89952c061b19accf70713b

SHA1
537fe532bfa829330cd82d437cb8110eae0872dd

SHA256
d288c4716f421aecfe39da644049d2345d01ad4bffb9a130d4bc59abead8d113

SHA512
82a272ffbb01a284275d5b062b693369fb6741be58eead384641a6553318aa1fbdb2aaa5cd02a44e1855f45b8ab379980770421ff3d4ec2abe7300ad0aed1491

Download Submit
memory/2656-4-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-9-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-2-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-1836-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-2233-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-2237-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-2837-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-2922-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-6109-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-9823-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2656-11412-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads