Resubmissions

09-10-2023 22:49

231009-2rwndsgh8w 10

06-03-2022 02:50

220306-dbkzyshha4 10

Analysis

  • max time kernel
    4294177s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    06-03-2022 02:50

General

  • Target

    14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe

  • Size

    136KB

  • MD5

    17f29268c9f1c5d5bca8b2b66cd1044c

  • SHA1

    16273c67d772dccd1bc9d375b1c9ffa25e83129c

  • SHA256

    14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9

  • SHA512

    bd4d3f760de8225626f748f0168188d40c283b1a5525234cb8ff63621ff5f5952c6d6bf6de464485784641ff7aa08d89979ad000d26feb34f44fc231287ab1db

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe
    "C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops file in Program Files directory
      PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
    MD5

    17f29268c9f1c5d5bca8b2b66cd1044c

    SHA1

    16273c67d772dccd1bc9d375b1c9ffa25e83129c

    SHA256

    14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9

    SHA512

    bd4d3f760de8225626f748f0168188d40c283b1a5525234cb8ff63621ff5f5952c6d6bf6de464485784641ff7aa08d89979ad000d26feb34f44fc231287ab1db

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
    MD5

    17f29268c9f1c5d5bca8b2b66cd1044c

    SHA1

    16273c67d772dccd1bc9d375b1c9ffa25e83129c

    SHA256

    14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9

    SHA512

    bd4d3f760de8225626f748f0168188d40c283b1a5525234cb8ff63621ff5f5952c6d6bf6de464485784641ff7aa08d89979ad000d26feb34f44fc231287ab1db

  • memory/1608-59-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
    Filesize

    9.6MB

  • memory/1608-58-0x000007FEF32A0000-0x000007FEF4336000-memory.dmp
    Filesize

    16.6MB

  • memory/1608-62-0x0000000000970000-0x0000000000972000-memory.dmp
    Filesize

    8KB

  • memory/1608-63-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
    Filesize

    9.6MB

  • memory/1608-65-0x000000000099A000-0x000000000099B000-memory.dmp
    Filesize

    4KB

  • memory/1608-64-0x000000000097B000-0x000000000099A000-memory.dmp
    Filesize

    124KB

  • memory/1684-54-0x000007FEF32A0000-0x000007FEF4336000-memory.dmp
    Filesize

    16.6MB

  • memory/1684-57-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
    Filesize

    9.6MB

  • memory/1684-60-0x0000000000B40000-0x0000000000B42000-memory.dmp
    Filesize

    8KB

  • memory/1684-61-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
    Filesize

    9.6MB