trigona | d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
Size

1.1MB
MD5

1852be15aa8dcf664291b3849bd348e4
SHA1

eea811d2a304101cc0b0edebe6590ea0f3da0a27
SHA256

d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a
SHA512

91ca1d44fa98a43dbc53541cecb8ca656df01d6dc57783f12c70df49347520e150796834731b56107976b5b9dc915006d18caf39ac6792187d605542452bd4eb
SSDEEP

24576:hY6frxBDmkY+Jr0Iql2v4sx+uxtTyJuqe:bKuTvBwSdCud

Score

10^/10

trigona discovery persistence ransomware

Malware Config

Signatures

Detects Trigona ransomware 13 IoCs

resource	yara_rule
behavioral2/memory/1100-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-2-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-4-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-6-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-14-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-678-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-5434-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-14088-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-20394-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-20701-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-20702-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral2/memory/1100-20703-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona
Trigona family
trigona

Downloads MZ/PE file 1 IoCs

flow	pid	Process
1250	716	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6DC9ED542C0E7BFC67719508CF109689 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe"	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\desktop.ini	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3296967594-3563063956-581523229-1000\desktop.ini	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3296967594-3563063956-581523229-1000\desktop.ini	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\resource.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\how_to_decrypt.hta	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\servertool.exe	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\browser\features\[email protected]	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\how_to_decrypt.hta	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sl.txt	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\how_to_decrypt.hta	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\management\jmxremote.access	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIF	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxSignature.p7x	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\how_to_decrypt.hta	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\mraut.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File created	\??\c:\Program Files\Java\jdk-1.8\include\how_to_decrypt.hta	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\PREVIEW.GIF	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-125.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-125.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_altform-unplated_contrast-black.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square150x150Logo.scale-125.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\AUTHORS.txt	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\how_to_decrypt.hta	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File created	\??\c:\Program Files\7-Zip\how_to_decrypt.hta	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-125.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.scale-100_contrast-white.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\how_to_decrypt.hta	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-125_contrast-black.png	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1232	MicrosoftEdgeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
"C:\Users\Admin\AppData\Local\Temp\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1100

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEVBM0JDNEUtQjFBMS00QTI0LTgzMDgtQ0Y5NjFEMUI0QjhGfSIgdXNlcmlkPSJ7MUM4MzM0NzEtNUEyQy00QTkwLTlBRUEtMDk0OTdDQ0M1NERCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzExNkM3MDgtQTMzMS00NzY2LTgzOTEtNUVGNEQxQ0RGRkJCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1ODgxNDM4MzUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3296967594-3563063956-581523229-1000\desktop.ini

Filesize
2KB

MD5
694e0d83a1ba078b776fbf1d875dbdd7

SHA1
3147741b577e9d50571270f8df795bb287477718

SHA256
acd0f1089507725090beb78c0bb2fa89353bd77613adb8071c99dbad991cbd8d

SHA512
16eefe18aaadffc98b7474b08bf9d3e99888252cf741881dd3e0e773d10dd14690b3950cef6f51387dfc3ad679d50cde08a73bc5a043b24c3d2901a89dd94e28

Download Submit
C:\how_to_decrypt.hta

Filesize
11KB

MD5
254d8c0f4d2971694fe1529d81e72b84

SHA1
39f3291290189994efb4cf41cae2818e0ec4665c

SHA256
303d79e586350b6386738cb62d7ce51a850089f5d087d394670c87055b4c94cb

SHA512
b21f808e587279838b9d9a6c65c3613336c1934a09125bf764ab08b47b9d13304ea88e9a82bcc5cccfdcc0002a5896eb78fddc2ee240d23665a1ad76bcf9a31a

Download Submit
memory/1100-4-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-6-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-14-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-2-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-678-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-5434-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-14088-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-20394-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-20701-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-20702-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1100-20703-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads