Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 11:18
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20240226-en
General
-
Target
sample.exe
-
Size
1.1MB
-
MD5
530967fb3b7d9427552e4ac181a37b9a
-
SHA1
41bcf469661ab9609a0d181953c2f8ffb75bb483
-
SHA256
fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b
-
SHA512
b81a447a994839a6858bab10eaa2c26aabaf3f73e7ffd2c70d27dfde5f11b35f5d153362277c046d47bcf9dc2d2b7c92d5805e89e633f9326306071abb213afa
-
SSDEEP
24576:15swNmjEoujhn3wVPWJFwEQWV+u7h62TL:HouNVOEbcah6qL
Malware Config
Signatures
-
Detects Trigona ransomware 12 IoCs
resource yara_rule behavioral2/memory/464-0-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-1-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-2-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-4-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-9-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-543-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-2582-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-4055-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-5143-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-5189-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-7176-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral2/memory/464-10522-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Drops startup file 1 IoCs
description ioc Process File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_to_decrypt.hta sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\96642E2AD31CB8C5584F6128CBAAD5B8 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sample.exe" sample.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini sample.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini sample.exe File opened for modification \??\c:\Program Files\desktop.ini sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.DirectoryServices.dll sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms sample.exe File opened for modification \??\c:\Program Files\Common Files\System\ado\adojavas.inc sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\UIAutomationClient.resources.dll sample.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Common Files\System\ado\msado25.tlb sample.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\currency.data sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x86\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Internet Explorer\en-US\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationClient.resources.dll sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\PresentationFramework.resources.dll sample.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\lib\ext\sunec.jar sample.exe File created \??\c:\Program Files\Common Files\microsoft shared\MSInfo\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\ky\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties sample.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll sample.exe File created \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\include\win32\jni_md.h sample.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\PresentationFramework.resources.dll sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Aero2.dll sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll sample.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\legal\javafx\directshow.md sample.exe File created \??\c:\Program Files\VideoLAN\VLC\plugins\audio_output\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationClientSideProviders.resources.dll sample.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy sample.exe File created \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.Primitives.dll sample.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\el\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe sample.exe File opened for modification \??\c:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui sample.exe File created \??\c:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml sample.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\how_to_decrypt.hta sample.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\nb\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\Google\CrashReports\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms sample.exe File created \??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\how_to_decrypt.hta sample.exe File created \??\c:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\how_to_decrypt.hta sample.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:4028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58749c9755701834903720a797307591c
SHA14ccbe384ae5d231fddfe43023a5f52d82ec3a85e
SHA256e7acd29e446fc07a0db36cd7abbb236c4ef6c7b1da0e5d28db5a9942fc21f422
SHA512862ecf6237b8e8251e2846056886538050e14784dff01ce44c7c76366499e5dd41a1fb8b6ad1b0bd070c46ae1d4e465b018dc180d419a94960535ff2466e0a0f
-
Filesize
11KB
MD523ad3ece121ef7256b35bd457401c03b
SHA1c092975e65434f8e599182375888ad1847443cca
SHA256cbd25c85e78554e7bc001414d8f857bf7d502cea680b3e53694cdea0797f99ae
SHA51249be48c9f1d9afb38bb6bb9fd08b0f6de3f29c9e525a30ba0c2a1e2c7ac309fe1202a39ab995c69b4c52973e0b836e8f18f67daaa32a166b08190af3e3e9191e