Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/02/2025, 06:45
Behavioral task
behavioral1
Sample
d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
Resource
win10v2004-20250207-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
-
Size
1.1MB
-
MD5
1852be15aa8dcf664291b3849bd348e4
-
SHA1
eea811d2a304101cc0b0edebe6590ea0f3da0a27
-
SHA256
d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a
-
SHA512
91ca1d44fa98a43dbc53541cecb8ca656df01d6dc57783f12c70df49347520e150796834731b56107976b5b9dc915006d18caf39ac6792187d605542452bd4eb
-
SSDEEP
24576:hY6frxBDmkY+Jr0Iql2v4sx+uxtTyJuqe:bKuTvBwSdCud
Score
10/10
Malware Config
Signatures
-
Detects Trigona ransomware 13 IoCs
resource yara_rule behavioral1/memory/1308-0-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-1-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-2-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-4-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-6-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-13-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-695-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-1663-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-11637-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-11736-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-11830-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-14185-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona behavioral1/memory/1308-27339-0x0000000000400000-0x0000000000526000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Trigona family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\016C7DC7A9DA747BCCC3B4BE22F06C22 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe" d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe -
Drops desktop.ini file(s) 14 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Chess\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Europe\Kiev d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESNS.ICO d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\TraceConvertFrom.3gpp d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101980.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\TestTrace.easmx d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_rtp_plugin.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_off.gif d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\ado\adovbs.inc d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107290.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\builtincontrolsschema.xsd d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00252_.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\MSB1ENES.ITS d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Asia\Hebron d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files\Common Files\System\Ole DB\en-US\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02276_.WMF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\javafx.properties d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Templates\1033\TimeCard.xltx d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02187_.GIF d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files\Microsoft Games\FreeCell\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File created \??\c:\Program Files\VideoLAN\VLC\lua\intf\modules\how_to_decrypt.hta d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe File opened for modification \??\c:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe"C:\Users\Admin\AppData\Local\Temp\d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5544ed71a146851eb4e97fdaedf43641f
SHA146096bab46ce84a18225d0fc2e20e993fd915254
SHA256f3c2f8bd1a2b31e4a5fcfaa3c4e2dbf7ba1d093f824348484a7e7fc7b5cdeb47
SHA5126376915ca1537f69ff286399f8e063db62dabc2d4b06ad28750b78fbec67ed6fbe0ac729bda9598d50275964ad799222f75ad2548a4e27196958cc46058fd295
-
Filesize
11KB
MD52e51e20ae54a6e47a41075822fde8a96
SHA1137a621190443cb3b59af0a58ea76efb889c2222
SHA256f0cfd935e5b3863226e00f99ccb2390c93f34ff0b2be6611dc917e326ed674c4
SHA51288c06ec7554131d179af15466be6e5298f6b923c2ce5652111243512900e8e79072471aae7d69848ce47c6e359096e2ed07873b1911ac84665f91207721b5b6c