Resubmissions

09-10-2023 22:49

231009-2rwndsgh8w 10

06-03-2022 02:50

220306-dbkzyshha4 10

Analysis

  • max time kernel
    4294177s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    06-03-2022 02:50

General

  • Target

    14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe

  • Size

    136KB

  • MD5

    17f29268c9f1c5d5bca8b2b66cd1044c

  • SHA1

    16273c67d772dccd1bc9d375b1c9ffa25e83129c

  • SHA256

    14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9

  • SHA512

    bd4d3f760de8225626f748f0168188d40c283b1a5525234cb8ff63621ff5f5952c6d6bf6de464485784641ff7aa08d89979ad000d26feb34f44fc231287ab1db

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe
    "C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops file in Program Files directory
      PID:1608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1608-59-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

  • memory/1608-58-0x000007FEF32A0000-0x000007FEF4336000-memory.dmp

    Filesize

    16.6MB

  • memory/1608-62-0x0000000000970000-0x0000000000972000-memory.dmp

    Filesize

    8KB

  • memory/1608-63-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

  • memory/1608-65-0x000000000099A000-0x000000000099B000-memory.dmp

    Filesize

    4KB

  • memory/1608-64-0x000000000097B000-0x000000000099A000-memory.dmp

    Filesize

    124KB

  • memory/1684-54-0x000007FEF32A0000-0x000007FEF4336000-memory.dmp

    Filesize

    16.6MB

  • memory/1684-57-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

  • memory/1684-60-0x0000000000B40000-0x0000000000B42000-memory.dmp

    Filesize

    8KB

  • memory/1684-61-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.