Overview

overview

10

Static

static

073dec2ee0...f3.exe

windows7_x64

10

073dec2ee0...f3.exe

windows10_x64

10

Analysis

  • max time kernel
    298s
  • max time network
    269s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    07-07-2021 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3.exe

  • Size

    31.2MB

  • MD5

    4ffd999d6ac629c27e1a9229c8e0ddd6

  • SHA1

    00b8e8cce15d86bf05ea1dfdc6a6bc779c24dedc

  • SHA256

    073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3

  • SHA512

    b91ef53301c2d9e3324f50b96d20f7d24c5db747679a10a30520a68f362487c8f48721c4bf92ad4635023ac4899184260e4b2def2ff31040bc0afbee77ffb825

Score
10/10
jigsawpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3.exe
    "C:\Users\Admin\AppData\Local\Temp\073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\073dec2ee0bdfaec89aa903cf9a19bde83ed68477d6bbccdf29489f4e6ced4f3.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:188

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/188-119-0x0000000002C40000-0x0000000002C42000-memory.dmp

    Filesize

    8KB

    Download

  • memory/188-120-0x0000000002C42000-0x0000000002C44000-memory.dmp

    Filesize

    8KB

    Download

  • memory/188-121-0x0000000002C45000-0x0000000002C47000-memory.dmp

    Filesize

    8KB

    Download

  • memory/188-122-0x0000000002C44000-0x0000000002C45000-memory.dmp

    Filesize

    4KB

    Download

  • memory/188-123-0x0000000002C4A000-0x0000000002C4F000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3924-114-0x0000000001590000-0x0000000001592000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3924-115-0x0000000001592000-0x0000000001594000-memory.dmp

    Filesize

    8KB

    Download