trigona | a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/02/2025, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
Size

1.7MB
MD5

68635ad9d12f683071611bfd34c1ec34
SHA1

3d59b3053f9f531197a47a6a936240cb81a700d9
SHA256

a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9
SHA512

811764a687edc700883ae31503bedb299702ee6281ae57bc0885f9fd60f80d0f572f545bb060dcd610f904167665ee2a520dbdd77e4f4fd953250b1fcf48cf96
SSDEEP

24576:GGA0AhSVzjJqVR/xmx0AsQ5r2jOGJTS8KmlI+u+68+05vNR:JAhuzc3DXJTS8KmVzecH

Score

10^/10

trigona persistence ransomware spyware stealer

Malware Config

Signatures

Detects Trigona ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-1-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-2-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-8-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-1889-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-2252-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-2288-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-2893-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-2975-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-13113-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-13114-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-13115-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-15198-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona
behavioral1/memory/2156-27574-0x0000000000400000-0x00000000005CF000-memory.dmp	family_trigona

Trigona
A ransomware first seen at the beginning of the 2022.
ransomware trigona
Trigona family
trigona

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_to_decrypt.hta	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\4036CAA32251C4111FBFD02511D866F4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe"	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213243.WMF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\how_to_decrypt.hta	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hr.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01295_.GIF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\Godthab	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\fontconfig.bfc	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\Help\1049\how_to_decrypt.hta	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PAPER_01.MID	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Windows Journal\Templates\To_Do_List.jtp	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Perspective.dotx	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\server\classes.jsa	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\security\javaws.policy	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File created	\??\c:\Program Files (x86)\Common Files\System\Ole DB\en-US\how_to_decrypt.hta	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\BREEZE.INF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Concourse.eftx	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File created	\??\c:\Program Files\Windows Sidebar\fr-FR\how_to_decrypt.hta	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\dt_socket.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105380.WMF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14580_.GIF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\CALENDAR.GIF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FORM.JS	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235241.WMF	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msado21.tlb	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll	a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe

C:\Users\Admin\AppData\Local\Temp\a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe
"C:\Users\Admin\AppData\Local\Temp\a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini

Filesize
2KB

MD5
d037b5587ef9a6e48967492112225933

SHA1
f427d1303721abe884ad919e9abd75155c6efcdf

SHA256
af6ae71d38e07223bcf5d93ad83b7238b96d4563a087253f2507491514675856

SHA512
a499ed9f61a98b41f72a1a67f6a2ed5d8d7e8f09d8d000a6eabf9b96f231402cbf208e2a3fb536184e71eff31a12af856e80988899cfcbe350d96ad77d022673

Download Submit
C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\how_to_decrypt.hta

Filesize
12KB

MD5
a77a055620832abe993829b763b8a80d

SHA1
49fb1a87c2b9c6db65fd622a0a3b067dddc6ee36

SHA256
7e3d8b56bee946639cb1fda7ee5d7218979b94cdd4e62fa9e5ede59975d78b1d

SHA512
c041f3b9d92b01d1a54fe92a83810b26a27e66125ec2c20844b92d2c89bc985a20a12554d8169c37a5e5549e1faad5bdfad00edb9c87a5cf3d08a57c6f7a4f70

Download Submit
memory/2156-13113-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-15198-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-0-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-1889-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-2252-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-2-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-2975-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-2893-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-8-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-1-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-13114-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-13115-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-2288-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2156-27574-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads