trigona | 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
Size

1.7MB
MD5

10403f08a869a83d5c8d81162b711453
SHA1

e3b54c2de169474f7d9f2adc89ab63fcdde8e7f3
SHA256

8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241
SHA512

05547bb0125e199f030403a158f10197d0ff882cc518534137313fa5d4a1e7c7b5886956d495e890e56e423986a9957ac434d5378bb2b05418b40a5a00b00d1e
SSDEEP

24576:uGA0AhSVzjJqVR/xmx0AsQ5r2jOGJTS8KmlI+u+68+DrAmh:xAhuzc3DXJTS8KmVzeDr

Score

10^/10

trigona discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

resource	yara_rule
behavioral2/memory/916-0-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-1-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-2-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-8-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-910-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-4095-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-4467-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-4501-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-5148-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-11179-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-19403-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-24372-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-24373-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral2/memory/916-24374-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4A000F8AC01236BE24BE208CA5D60C98 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe"	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Mozilla Firefox\browser\features\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-200.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-400.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\README.txt	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\3DViewerProductDescription-universal.xml	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryLeft.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHM	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-timezone-l1-1-0.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-125.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmcachemgr_xl.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerBackgroundTasks.winmd	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\THMBNAIL.PNG	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-400.png	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\3DViewerProductDescription-universal.xml	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\kab.txt	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\plugins\text_renderer\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\how_to_decrypt.hta	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll	2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_10403f08a869a83d5c8d81162b711453_trigona.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini

Filesize
2KB

MD5
2eb5137854366008cba7ba6ee7cca75a

SHA1
2e2dbd52bfedf8ec84fde1f4fe0e20c6c4d4e44e

SHA256
6277a16e9d6fc1f194f7914b2f282b8529480ce4344b6cc9d4bd7c308092cdf7

SHA512
d43a0768de9ccc83b421933e1a4a553b4f2c7a0953aee551d37a9bcc35d8ac81beaf9e6450a4bb0b77d29be983c56a6927ed6f0f525eb55bbe8e7a0a81946b6c

Download Submit
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\how_to_decrypt.hta

Filesize
12KB

MD5
74dcdbda6afe6544c2040dba421134a9

SHA1
5c05bea60f33c6be2f747d4a4f8e320a8e183e5f

SHA256
6b89e5de13d8f40f7f0d3732add21eb4f92bf7f97aba3575c8b3e454a333f2fd

SHA512
1f69fdbb239b2dbbc07abcd465411d4a48112840384fecc65dcd17c6b8c63b9eeee8bf46c81999927ad8031c949154ab374a2318eebe71deff812a73b5f0e764

Download Submit
memory/916-4501-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-1-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-2-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-910-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-4095-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-4467-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-0-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-8-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-5148-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-11179-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-19403-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-24372-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-24373-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/916-24374-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads