trigona | 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241

General

Target

2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
Size

1.7MB
MD5

10403f08a869a83d5c8d81162b711453
SHA1

e3b54c2de169474f7d9f2adc89ab63fcdde8e7f3
SHA256

8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241
SHA512

05547bb0125e199f030403a158f10197d0ff882cc518534137313fa5d4a1e7c7b5886956d495e890e56e423986a9957ac434d5378bb2b05418b40a5a00b00d1e
SSDEEP

24576:uGA0AhSVzjJqVR/xmx0AsQ5r2jOGJTS8KmlI+u+68+DrAmh:xAhuzc3DXJTS8KmVzeDr

Score

10^/10

trigona persistence ransomware spyware stealer

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2276-0-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-1-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-3-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-1606-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-2221-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-2243-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-2267-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-2955-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-11046-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-13100-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-13101-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-13530-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-17045-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2276-28548-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\0089F85BDAD03A26AFE2DD682266A6EC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe"	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

Drops desktop.ini file(s) 14 IoCs

Processes:

2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\System\msadc\msdaremr.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\jsprofilerui.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\jsdebuggeride.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\CONVERT\RM.DLL	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\lua\http\js\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\platform.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.Infopath.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.LEX	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.msi	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\Windows Media Player\es-ES\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Minesweeper\es-ES\Minesweeper.exe.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\VideoLAN Website.url	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\VC\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\skins\skin.catalog	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232171.WMF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\Microsoft Games\Purble Place\es-ES\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02068_.WMF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35F.GIF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106572.WMF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Defender\MsMpLics.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini

Filesize
2KB

MD5
d6559c7854ef5fa2f0016784d8fa6d7c

SHA1
f0c2b51972342e00596caf366e06592fc74d0406

SHA256
a6ba007203e9943472cbe05691c53e5b9ad61a901a4526d9da9dd531a13e8168

SHA512
bda4f08bb3be0fbabb233e40d0a466f08c4a9fac2557a93144cd8cb0cefa109e0b7e68edb9ca4b464a6cd92843a20f1597afbe19085e67f6841dc1a4e7ea934e

Download Submit
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\how_to_decrypt.hta

Filesize
12KB

MD5
4d3d51ea4640c6f09e56154ff623a7ee

SHA1
153c20d7f509c014a567b1c10c7a4151e090680c

SHA256
48ae2e6d1b0fb72e264e78f226464f4d063f0b71389e440795c4395977375ab0

SHA512
d13916fdf64552a2b65373adb937eacf1a80ca013a4ad7fdfb7cbe5c43298b25a2b07f3fbbf98d331a3a7ac7ea1cd4c28d3b9cfd1724f200d4158b7c6a6e1514

Download Submit
memory/2276-2267-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-2955-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-1606-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-2221-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-2243-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-1-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-0-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-3-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-11046-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-13100-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-13101-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-13530-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-17045-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2276-28548-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads