Analysis

  • max time kernel
    300s
  • max time network
    271s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-11-2020 14:36

General

  • Target

    5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe

  • Size

    676KB

  • MD5

    c1ed709a4375516d25889357d0660f00

  • SHA1

    3f16cd69f3772b9aa51ff2b528f95227e7caed6f

  • SHA256

    5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037

  • SHA512

    215cc02a53e3d0eff52f511c516fd5d87726926984e84cd18a7b35c3783792a0ee050e736f2c72bc28d42f1975bb6314d9f0f9e28766839db257c7c500c81ac0

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 15229 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe
    "C:\Users\Admin\AppData\Local\Temp\5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\chrme\chrome.exe
      "C:\Users\Admin\AppData\Local\chrme\chrome.exe" C:\Users\Admin\AppData\Local\Temp\5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops file in Program Files directory
      PID:4032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2868-0-0x00007FFE304A0000-0x00007FFE30E40000-memory.dmp

    Filesize

    9.6MB

  • memory/4032-4-0x00007FFE304A0000-0x00007FFE30E40000-memory.dmp

    Filesize

    9.6MB