jigsaw | 4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71

General

Target

4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe
Size

137KB
MD5

6b2843a576c2cc99cdda72304b3b67c9
SHA1

d1be9c2e7130ddc7649966a1fc691b9e4f90681b
SHA256

4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71
SHA512

9cfd6248401ab04bc67c6695f9d60d9dc050ef93bb8fda321cc0ed808c86e69fca3a36bac69de4f8e3f185c31c9ba3c744c6a646105e8a8306725194934e0365

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Executes dropped EXE 1 IoCs

Processes:

drpbx.exe

pid process

3396 drpbx.exe

pid	process
3396	drpbx.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

drpbx.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\MountAssert.raw.locked	drpbx.exe
File created	C:\Users\Admin\Pictures\OpenPop.png.locked	drpbx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe

Drops file in Program Files directory 64 IoCs

Processes:

drpbx.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	drpbx.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\README.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\InitializeImport.xlsb	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.locked	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Protocol.xml	drpbx.exe
File opened for modification	C:\Program Files\RenameGroup.mpg	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\connectionmanager_dmr.xml	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File created	C:\Program Files\7-Zip\readme.txt.locked	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.locked	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	drpbx.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.locked	drpbx.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\PopSuspend.sql	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.locked	drpbx.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.locked	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\Logo.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe

description	pid	process	target process
PID 1356 wrote to memory of 3396	1356	4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe	drpbx.exe
PID 1356 wrote to memory of 3396	1356	4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe	drpbx.exe

C:\Users\Admin\AppData\Local\Temp\4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe
"C:\Users\Admin\AppData\Local\Temp\4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
Filesize
137KB

MD5
6b2843a576c2cc99cdda72304b3b67c9

SHA1
d1be9c2e7130ddc7649966a1fc691b9e4f90681b

SHA256
4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71

SHA512
9cfd6248401ab04bc67c6695f9d60d9dc050ef93bb8fda321cc0ed808c86e69fca3a36bac69de4f8e3f185c31c9ba3c744c6a646105e8a8306725194934e0365

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
Filesize
137KB

MD5
6b2843a576c2cc99cdda72304b3b67c9

SHA1
d1be9c2e7130ddc7649966a1fc691b9e4f90681b

SHA256
4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71

SHA512
9cfd6248401ab04bc67c6695f9d60d9dc050ef93bb8fda321cc0ed808c86e69fca3a36bac69de4f8e3f185c31c9ba3c744c6a646105e8a8306725194934e0365

Download Submit
memory/3396-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads