b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

General
Target

b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe

Filesize

41KB

Completed

05-11-2020 14:39

Score
10 /10
MD5

0efb06144ff6e9eb6bdc03fafa5167a7

SHA1

894bc02320d1308462ce004cf06e1bb1841d22c2

SHA256

b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

Malware Config
Signatures 4

Filter: none

Defense Evasion
Persistence
  • Jigsaw Ransomware

    Description

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE
    AcroRd32.exe

    Reported IOCs

    pidprocess
    3012AcroRd32.exe
  • Adds Run key to start application
    b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Google (x86)\\Chrome32.exe"b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
  • Suspicious use of WriteProcessMemory
    b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 644 wrote to memory of 3012644b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exeAcroRd32.exe
    PID 644 wrote to memory of 3012644b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exeAcroRd32.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
    "C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe"
    Adds Run key to start application
    Suspicious use of WriteProcessMemory
    PID:644
    • C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe
      "C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe" C:\Users\Admin\AppData\Local\Temp\b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3.exe
      Executes dropped EXE
      PID:3012
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe

                        MD5

                        0efb06144ff6e9eb6bdc03fafa5167a7

                        SHA1

                        894bc02320d1308462ce004cf06e1bb1841d22c2

                        SHA256

                        b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

                        SHA512

                        a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

                      • C:\Users\Admin\AppData\Local\Adobe (x86)\AcroRd32.exe

                        MD5

                        0efb06144ff6e9eb6bdc03fafa5167a7

                        SHA1

                        894bc02320d1308462ce004cf06e1bb1841d22c2

                        SHA256

                        b3af58566437f83301cd884feaaa2c4b6c827498969a2abbe48afc03351facb3

                        SHA512

                        a4e4f538ad17d32c63f5b6b5be26115931480544ca921bec09bbe0dcb0989455fb29a8ddd97c3e14b4b1250b9aa8b19aa0e0849fcf1dd57f2d3f934f7e973a96

                      • memory/644-0-0x00007FFD721D0000-0x00007FFD72B70000-memory.dmp

                      • memory/3012-1-0x0000000000000000-mapping.dmp

                      • memory/3012-4-0x00007FFD721D0000-0x00007FFD72B70000-memory.dmp