Analysis Overview
SHA256
20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7
Threat Level: Known bad
The file 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7 was found to be: Known bad.
Malicious Activity Summary
Jigsaw Ransomware
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 11:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 11:51
Reported
2022-06-12 16:51
Platform
win7-20220414-en
Max time kernel
112s
Max time network
126s
Command Line
Signatures
Jigsaw Ransomware
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 904 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 904 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 904 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 904 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe
"C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe"
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
Files
memory/904-54-0x00000000755A1000-0x00000000755A3000-memory.dmp
memory/904-55-0x0000000074230000-0x00000000747DB000-memory.dmp
memory/904-56-0x0000000074230000-0x00000000747DB000-memory.dmp
\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 269de662c8b796f35e614a1aa807d769 |
| SHA1 | 43f32f0e0d952dba0bc2cb3c0657291f0930ec8a |
| SHA256 | 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7 |
| SHA512 | 4d99243d079668e08342dc015e8f0749b452fd0ae4a1f7b7d047a1b499289ca6044691641db661f90978082e8262e43bcb6230f9e87e0f7f770d568d9b381009 |
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 269de662c8b796f35e614a1aa807d769 |
| SHA1 | 43f32f0e0d952dba0bc2cb3c0657291f0930ec8a |
| SHA256 | 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7 |
| SHA512 | 4d99243d079668e08342dc015e8f0749b452fd0ae4a1f7b7d047a1b499289ca6044691641db661f90978082e8262e43bcb6230f9e87e0f7f770d568d9b381009 |
memory/2044-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 269de662c8b796f35e614a1aa807d769 |
| SHA1 | 43f32f0e0d952dba0bc2cb3c0657291f0930ec8a |
| SHA256 | 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7 |
| SHA512 | 4d99243d079668e08342dc015e8f0749b452fd0ae4a1f7b7d047a1b499289ca6044691641db661f90978082e8262e43bcb6230f9e87e0f7f770d568d9b381009 |
memory/904-62-0x0000000074230000-0x00000000747DB000-memory.dmp
memory/2044-63-0x0000000074230000-0x00000000747DB000-memory.dmp
memory/2044-64-0x0000000074230000-0x00000000747DB000-memory.dmp
memory/2044-65-0x0000000074230000-0x00000000747DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 11:51
Reported
2022-06-12 16:51
Platform
win10v2004-20220414-en
Max time kernel
154s
Max time network
170s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe
"C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.24.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| IE | 52.109.76.31:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
Files
memory/2824-130-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/2824-131-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/2824-132-0x0000000074C10000-0x00000000751C1000-memory.dmp