Resubmissions

09-10-2023 22:49

231009-2rx68aba24 10

05-11-2020 14:34

201105-wwra1hx6zn 10

Analysis

  • max time kernel
    167s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-11-2020 14:34

General

  • Target

    b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe

  • Size

    41KB

  • MD5

    0efb06144ff6e9eb6bdc03fafa5167a7

  • SHA1

    894bc02320d1308462ce004cf06e1bb1841d22c2

  • SHA256

    b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

  • SHA512

    a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 4928 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
    "C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe
      "C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe" C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops file in Program Files directory
      PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe
    MD5

    0efb06144ff6e9eb6bdc03fafa5167a7

    SHA1

    894bc02320d1308462ce004cf06e1bb1841d22c2

    SHA256

    b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

    SHA512

    a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

  • C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe
    MD5

    0efb06144ff6e9eb6bdc03fafa5167a7

    SHA1

    894bc02320d1308462ce004cf06e1bb1841d22c2

    SHA256

    b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

    SHA512

    a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

  • memory/1084-1-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp
    Filesize

    9.6MB

  • memory/1084-0-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp
    Filesize

    9.6MB

  • memory/1208-6-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp
    Filesize

    9.6MB

  • memory/1208-5-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp
    Filesize

    9.6MB

  • memory/1208-2-0x0000000000000000-mapping.dmp
  • memory/1208-7-0x000000001C680000-0x000000001C6A0000-memory.dmp
    Filesize

    128KB

  • memory/1208-245-0x000000001C680000-0x000000001C710000-memory.dmp
    Filesize

    576KB

  • memory/1208-839-0x000000001C0D0000-0x000000001C150000-memory.dmp
    Filesize

    512KB

  • memory/1208-861-0x000000001C0D0000-0x000000001C130000-memory.dmp
    Filesize

    384KB

  • memory/1208-905-0x000000001C0D0000-0x000000001C120000-memory.dmp
    Filesize

    320KB

  • memory/1208-949-0x000000001C0D0000-0x000000001C140000-memory.dmp
    Filesize

    448KB

  • memory/1208-959-0x000000001C160000-0x000000001C162000-memory.dmp
    Filesize

    8KB

  • memory/1208-1155-0x000000001C020000-0x000000001C060000-memory.dmp
    Filesize

    256KB