trigona | df9ef29e8789a798981a783fafbb85395a84e8733929b2c2290bcde263c2f3f8

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2025, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
Size

1.7MB
MD5

9bce9dae679419198574f4c9837085db
SHA1

62a24f1ee057e936f3bf01749ecd7e3675d0f10d
SHA256

df9ef29e8789a798981a783fafbb85395a84e8733929b2c2290bcde263c2f3f8
SHA512

9647610d36379a789ab45e21b1997eeff560058cf55374b0a404be9474becca566ec0dd97cbb49b8d54da811bb5fe1e4d2e3e6de9b8fd57825181d611019f467
SSDEEP

24576:6G5C8hr/Vz9ih9i38xVEL/QQPL6BH8kQqNgQ+uH6FqgtMok4+iL:I8hJz8eDsH8kQqNs86F1yU

Score

10^/10

trigona discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

resource	yara_rule
behavioral2/memory/2384-0-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-1-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-2-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-3-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-5-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-7-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-12-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-2864-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-4398-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-5071-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-9645-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-15677-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-20345-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona
behavioral2/memory/2384-23909-0x0000000000400000-0x00000000005D1000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona
Trigona family
trigona

Downloads MZ/PE file 1 IoCs

flow	pid	Process
1321	5204	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
10992	setup.exe
9724	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E76F7072ABC9609091C9D472B9DC014C = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe"	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\desktop.ini	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2508704002-2325818048-3575902788-1000\desktop.ini	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-2508704002-2325818048-3575902788-1000\desktop.ini	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\plugins\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\eu.txt	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\Resources\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\jp2ssv.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\Common AppData\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ug\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\el.txt	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\en-US\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\how_to_decrypt.hta	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
File opened for modification	\??\c:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3796	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	10992	setup.exe
Token: SeIncBasePriorityPrivilege	10992	setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 10988 wrote to memory of 10992	10988	MicrosoftEdge_X64_133.0.3065.59.exe	111
PID 10988 wrote to memory of 10992	10988	MicrosoftEdge_X64_133.0.3065.59.exe	111
PID 10992 wrote to memory of 9724	10992	setup.exe	112
PID 10992 wrote to memory of 9724	10992	setup.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-12_9bce9dae679419198574f4c9837085db_trigona.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2384

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkQ0NzY2RDQtOTY5OS00OEQxLTlBNEUtQ0MzQTQ1Qzg3NkU1fSIgdXNlcmlkPSJ7MDI1MEZDRUItM0QzMy00RDk0LUE2RjQtRDhEQzk5M0IxQTQyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjQ2MENDRDctMTkxRi00NzMwLUI5MUYtQkJCQUYyRkI2MTEzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzMyNTk5MTE5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3796

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:10988
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\EDGEMITMP_401A1.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\EDGEMITMP_401A1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:10992
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\EDGEMITMP_401A1.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\EDGEMITMP_401A1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\EDGEMITMP_401A1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff664b56a68,0x7ff664b56a74,0x7ff664b56a80
    3⤵
    - Executes dropped EXE
    PID:9724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2508704002-2325818048-3575902788-1000\desktop.ini

Filesize
2KB

MD5
84c65fb28b26985a9dbf968d92ccd084

SHA1
2e302bc3059ab0c16e8c349debf4cd4e7a406e68

SHA256
098901ac64a1cdd9ef66dda4af9726c9693aa2f56fcef6eef76903bda7b288b2

SHA512
734af7143ba552d9e9fbc8230552f0b023bb29f22f353b58f6b9ab889b1e179e717fe772f02ae1eced105d49e19caf4ec27479c0b0d9acb3f06054c013daa049

Download Submit
C:\$Recycle.Bin\S-1-5-21-2508704002-2325818048-3575902788-1000\how_to_decrypt.hta

Filesize
12KB

MD5
98a50855525cef9b0d3ff2ebf9cb5590

SHA1
09c1ca4e344598fbfc67b671faeb4273d9a921ce

SHA256
25f8269b4a67ab3486e3c8ea122327ea53d8fddbe094fdafc8c78ab834c73491

SHA512
0df9d0956417d4921151a53f4f4665d680aef7f116d7e95610f88f5e527646ec7237e3d668bdfea1cae95e1f806466f9f35245a64d9c77fb0abee1519af61973

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57D08155-833C-46C1-A3AF-224108FE40AF}\EDGEMITMP_401A1.tmp\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
d29bb4a0b96e3d051598b214ccf2ee7a

SHA1
adf21ff509353ae8b2798106ed1ac7042280ead6

SHA256
7d4373da904c90df389625ed04a76bea62fc25ceed361bc2f57a9bfafe53f85a

SHA512
5a145cba8380992273a3f754e4bf39b81c8fd2e3e501436712e3ae4d657816f3934489b0c652f63974bcf6093da4ff50a050e1e4f5ee1a7f2cca1b6a3eeabdee

Download Submit
C:\Program Files\MsEdgeCrashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
memory/2384-2864-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-9645-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-7-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-0-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-5-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-4398-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-5071-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-12-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-15677-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-20345-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-23909-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-3-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-2-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2384-1-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads