Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-02-2025 06:11
Behavioral task
behavioral1
Sample
d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
Resource
win10v2004-20250211-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
-
Size
1.1MB
-
MD5
1852be15aa8dcf664291b3849bd348e4
-
SHA1
eea811d2a304101cc0b0edebe6590ea0f3da0a27
-
SHA256
d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a
-
SHA512
91ca1d44fa98a43dbc53541cecb8ca656df01d6dc57783f12c70df49347520e150796834731b56107976b5b9dc915006d18caf39ac6792187d605542452bd4eb
-
SSDEEP
24576:hY6frxBDmkY+Jr0Iql2v4sx+uxtTyJuqe:bKuTvBwSdCud
Score
10/10
Malware Config
Signatures
-
Detects Trigona ransomware 12 IoCs
resource yara_rule behavioral1/memory/2516-0-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-1-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-2-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-4-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-13-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-807-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-7707-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-11587-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-11683-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-11778-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-15633-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/2516-28394-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Trigona family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\7779BCF2E748D38F9385F6DC14F3020F = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe" d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe -
Drops desktop.ini file(s) 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Chess\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created \??\c:\Program Files\VideoLAN\VLC\plugins\audio_output\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35F.GIF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\powerpnt.exe.manifest d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10 d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB9.BDR d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\init.js d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee90.tlb d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\WATERMAR.INF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04195_.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ACCVDTUI.DLL d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\THMBNAIL.PNG d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\calendars.properties d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.DPV d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\dependentlibs.list d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOCS.ICO d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PRTF9.DLL d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe"C:\Users\Admin\AppData\Local\Temp\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54e37b87a5aa9784856646547d8c20cab
SHA111e9b6579adeee866ba1755beee04a11c4b538c0
SHA2565db63a65dafeced1a1e0a8bd6e45a7b5082a64cdc516ccd5143907b6598495cf
SHA512f2fad0a8944a5215de8667d2fd0f83eb0ee87074606d37e04ead803d8897ad8a604fb259c4e019b1c127942ce2eb92c62bb4b155c3a028bdc22ff3d736674087
-
Filesize
11KB
MD5954f6bc2f3940ba458c2c44cc89e1bfe
SHA1897aca8ce7f532fe46c5fc738aa9b91c7d17d8e3
SHA2564e9d3dc70cb3d061c618e63473d1efbd39f6413733167c76540676f53fa18445
SHA512fe33600a97dea7848be1a8a24e4210dc644a5f03c87e12ea8dbd05d611f0a0e5f6bfbf06dda97684c1d2615be0c7d1147aeab025a42aa25954f0b36ba33d3256