Analysis

  • max time kernel
    239s
  • max time network
    277s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-07-2021 16:18

General

  • Target

    073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3.exe

  • Size

    31.2MB

  • MD5

    4ffd999d6ac629c27e1a9229c8e0ddd6

  • SHA1

    00b8e8cce15d86bf05ea1dfdc6a6bc779c24dedc

  • SHA256

    073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3

  • SHA512

    b91ef53301c2d9e3324f50b96d20f7d24c5db747679a10a30520a68f362487c8f48721c4bf92ad4635023ac4899184260e4b2def2ff31040bc0afbee77ffb825

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3.exe
    "C:\Users\Admin\AppData\Local\Temp\073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:292
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 644
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
    MD5

    4ffd999d6ac629c27e1a9229c8e0ddd6

    SHA1

    00b8e8cce15d86bf05ea1dfdc6a6bc779c24dedc

    SHA256

    073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3

    SHA512

    b91ef53301c2d9e3324f50b96d20f7d24c5db747679a10a30520a68f362487c8f48721c4bf92ad4635023ac4899184260e4b2def2ff31040bc0afbee77ffb825

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
    MD5

    4ffd999d6ac629c27e1a9229c8e0ddd6

    SHA1

    00b8e8cce15d86bf05ea1dfdc6a6bc779c24dedc

    SHA256

    073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3

    SHA512

    b91ef53301c2d9e3324f50b96d20f7d24c5db747679a10a30520a68f362487c8f48721c4bf92ad4635023ac4899184260e4b2def2ff31040bc0afbee77ffb825

  • memory/292-65-0x0000000000AE0000-0x0000000000AE2000-memory.dmp
    Filesize

    8KB

  • memory/292-61-0x0000000000000000-mapping.dmp
  • memory/292-64-0x000007FEF14F0000-0x000007FEF2586000-memory.dmp
    Filesize

    16.6MB

  • memory/292-66-0x0000000000AE6000-0x0000000000B05000-memory.dmp
    Filesize

    124KB

  • memory/292-67-0x0000000000B05000-0x0000000000B06000-memory.dmp
    Filesize

    4KB

  • memory/292-68-0x0000000000B09000-0x0000000000B0B000-memory.dmp
    Filesize

    8KB

  • memory/824-69-0x0000000000000000-mapping.dmp
  • memory/824-70-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp
    Filesize

    8KB

  • memory/824-71-0x00000000005B0000-0x00000000005B1000-memory.dmp
    Filesize

    4KB

  • memory/2020-60-0x000007FEF14F0000-0x000007FEF2586000-memory.dmp
    Filesize

    16.6MB

  • memory/2020-59-0x0000000002240000-0x0000000002242000-memory.dmp
    Filesize

    8KB