Malware Analysis Report

2024-10-18 23:54

Sample ID 201109-ldpapz7ekx
Target SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918
SHA256 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811
Tags
jigsaw persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811

Threat Level: Known bad

The file SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918 was found to be: Known bad.

Malicious Activity Summary

jigsaw persistence ransomware

Jigsaw Ransomware

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-09 19:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 19:51

Reported

2020-11-10 02:05

Platform

win7v20201028

Max time kernel

25s

Max time network

27s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

Network

N/A

Files

memory/684-0-0x0000000001F00000-0x0000000001F11000-memory.dmp

\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 5a5c745bf3e97fe2be01880132662f28
SHA1 924af25d379fc88319bc55958db898dbf5054309
SHA256 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811
SHA512 151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10

memory/2004-2-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 5a5c745bf3e97fe2be01880132662f28
SHA1 924af25d379fc88319bc55958db898dbf5054309
SHA256 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811
SHA512 151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10

memory/2004-4-0x0000000001F70000-0x0000000001F81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 19:51

Reported

2020-11-10 02:05

Platform

win10v20201028

Max time kernel

11s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

Network

N/A

Files

memory/1020-0-0x0000000002390000-0x0000000002391000-memory.dmp

memory/1020-1-0x0000000002390000-0x0000000002391000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 5a5c745bf3e97fe2be01880132662f28
SHA1 924af25d379fc88319bc55958db898dbf5054309
SHA256 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811
SHA512 151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 5a5c745bf3e97fe2be01880132662f28
SHA1 924af25d379fc88319bc55958db898dbf5054309
SHA256 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811
SHA512 151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10

memory/2072-3-0x0000000000000000-mapping.dmp

memory/2072-6-0x0000000002210000-0x0000000002211000-memory.dmp