Analysis
-
max time kernel
7s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-03-2021 22:16
Static task
static1
Behavioral task
behavioral1
Sample
Compito matematica.pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Compito matematica.pdf.exe
Resource
win10v20201028
General
-
Target
Compito matematica.pdf.exe
-
Size
606KB
-
MD5
4e890ba5a4f6fd63727c0005daa654dd
-
SHA1
e9ade30c93942c3f5928522552dd01eb25a9e9db
-
SHA256
e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51
-
SHA512
177badec70b21ed1b94a8a235535249c94b72e21fc62bae1e8c32e44b9495006687a2ef7545256ddaa2c167d870515de45e9aea524e3081135fa901532af6477
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Executes dropped EXE 1 IoCs
Processes:
drpbx.exepid process 1192 drpbx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Compito matematica.pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" Compito matematica.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Compito matematica.pdf.exedescription pid process target process PID 548 wrote to memory of 1192 548 Compito matematica.pdf.exe drpbx.exe PID 548 wrote to memory of 1192 548 Compito matematica.pdf.exe drpbx.exe PID 548 wrote to memory of 1192 548 Compito matematica.pdf.exe drpbx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compito matematica.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Compito matematica.pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Compito?matematica.pdf.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exeMD5
4e890ba5a4f6fd63727c0005daa654dd
SHA1e9ade30c93942c3f5928522552dd01eb25a9e9db
SHA256e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51
SHA512177badec70b21ed1b94a8a235535249c94b72e21fc62bae1e8c32e44b9495006687a2ef7545256ddaa2c167d870515de45e9aea524e3081135fa901532af6477
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exeMD5
4e890ba5a4f6fd63727c0005daa654dd
SHA1e9ade30c93942c3f5928522552dd01eb25a9e9db
SHA256e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51
SHA512177badec70b21ed1b94a8a235535249c94b72e21fc62bae1e8c32e44b9495006687a2ef7545256ddaa2c167d870515de45e9aea524e3081135fa901532af6477
-
memory/548-3-0x0000000000A70000-0x0000000000A72000-memory.dmpFilesize
8KB
-
memory/548-2-0x000007FEF69B0000-0x000007FEF734D000-memory.dmpFilesize
9.6MB
-
memory/548-4-0x000007FEF69B0000-0x000007FEF734D000-memory.dmpFilesize
9.6MB
-
memory/1192-5-0x0000000000000000-mapping.dmp
-
memory/1192-8-0x000007FEF69B0000-0x000007FEF734D000-memory.dmpFilesize
9.6MB
-
memory/1192-10-0x0000000000C40000-0x0000000000C42000-memory.dmpFilesize
8KB
-
memory/1192-9-0x000007FEF69B0000-0x000007FEF734D000-memory.dmpFilesize
9.6MB