jigsaw | 0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca

Analysis

max time kernel
180s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-07-2022 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.msi
Size

1.1MB
MD5

a362de111d5dff6bcdeaf4717af268b6
SHA1

2e5104db35871c5bc7da2035d8b91398bb5d5e0e
SHA256

0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca
SHA512

b48a18158a0dff9a9012952c467fcf69b8bfc53ceeacaf32a90fc4b7f3afd34465e676b282fa87f3c5c85b4780baf96cc754dcdeef77ba5330fa8c4fd1d20b72

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Executes dropped EXE 2 IoCs

pid	Process
2364	Wire_Transfer.docx.exe
1140	drpbx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Wire_Transfer.docx.exe

Loads dropped DLL 1 IoCs

pid	Process
4980	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Wire_Transfer.docx.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e591d13.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\e591d13.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6CC1D7E5-F55B-405E-8E29-8BF624B41193}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2040.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000066bbc37791d732ea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000066bbc3770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090066bbc377000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066bbc37700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066bbc37700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3764	msiexec.exe
3764	msiexec.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2180	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2180	msiexec.exe
Token: SeSecurityPrivilege	3764	msiexec.exe
Token: SeCreateTokenPrivilege	2180	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2180	msiexec.exe
Token: SeLockMemoryPrivilege	2180	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2180	msiexec.exe
Token: SeMachineAccountPrivilege	2180	msiexec.exe
Token: SeTcbPrivilege	2180	msiexec.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeLoadDriverPrivilege	2180	msiexec.exe
Token: SeSystemProfilePrivilege	2180	msiexec.exe
Token: SeSystemtimePrivilege	2180	msiexec.exe
Token: SeProfSingleProcessPrivilege	2180	msiexec.exe
Token: SeIncBasePriorityPrivilege	2180	msiexec.exe
Token: SeCreatePagefilePrivilege	2180	msiexec.exe
Token: SeCreatePermanentPrivilege	2180	msiexec.exe
Token: SeBackupPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeShutdownPrivilege	2180	msiexec.exe
Token: SeDebugPrivilege	2180	msiexec.exe
Token: SeAuditPrivilege	2180	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2180	msiexec.exe
Token: SeChangeNotifyPrivilege	2180	msiexec.exe
Token: SeRemoteShutdownPrivilege	2180	msiexec.exe
Token: SeUndockPrivilege	2180	msiexec.exe
Token: SeSyncAgentPrivilege	2180	msiexec.exe
Token: SeEnableDelegationPrivilege	2180	msiexec.exe
Token: SeManageVolumePrivilege	2180	msiexec.exe
Token: SeImpersonatePrivilege	2180	msiexec.exe
Token: SeCreateGlobalPrivilege	2180	msiexec.exe
Token: SeBackupPrivilege	3624	vssvc.exe
Token: SeRestorePrivilege	3624	vssvc.exe
Token: SeAuditPrivilege	3624	vssvc.exe
Token: SeBackupPrivilege	3764	msiexec.exe
Token: SeRestorePrivilege	3764	msiexec.exe
Token: SeRestorePrivilege	3764	msiexec.exe
Token: SeTakeOwnershipPrivilege	3764	msiexec.exe
Token: SeRestorePrivilege	3764	msiexec.exe
Token: SeTakeOwnershipPrivilege	3764	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2180	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 1992	3764	msiexec.exe	86
PID 3764 wrote to memory of 1992	3764	msiexec.exe	86
PID 3764 wrote to memory of 4980	3764	msiexec.exe	90
PID 3764 wrote to memory of 4980	3764	msiexec.exe	90
PID 3764 wrote to memory of 4980	3764	msiexec.exe	90
PID 4980 wrote to memory of 3432	4980	MsiExec.exe	92
PID 4980 wrote to memory of 3432	4980	MsiExec.exe	92
PID 4980 wrote to memory of 3432	4980	MsiExec.exe	92
PID 4980 wrote to memory of 2364	4980	MsiExec.exe	95
PID 4980 wrote to memory of 2364	4980	MsiExec.exe	95
PID 2364 wrote to memory of 1140	2364	Wire_Transfer.docx.exe	96
PID 2364 wrote to memory of 1140	2364	Wire_Transfer.docx.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1992
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 60BAEA74A927A322B4F930873B4FCF65
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\expand.exe
    "C:\Windows\System32\expand.exe" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3432
- - C:\Users\Admin\AppData\Local\Temp\MW-709360a9-b56c-4f56-89cd-fe51ce3859eb\files\Wire_Transfer.docx.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-709360a9-b56c-4f56-89cd-fe51ce3859eb\files\Wire_Transfer.docx.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\MW-709360a9-b56c-4f56-89cd-fe51ce3859eb\files\Wire_Transfer.docx.exe
      4⤵
      Executes dropped EXE
      PID:1140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-709360a9-b56c-4f56-89cd-fe51ce3859eb\files.cab

Filesize
282KB

MD5
807718ec27e1cdf76ea45291e0b73dcb

SHA1
43fd298dff26c7cc2180d5b198ef23e0c37d578e

SHA256
1001621d1b1d3cbba8d28644b24d7c4ff165c13ab2850661b3ed863efb6d1759

SHA512
a01444e070e6cbcf6b0aeb00c54469ea2dcf36e841c9179bb8a8d4c316000ebab6cef72cfe21467cf283bbed8372ce4787f60296c985ab831c49e3d18646da43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-709360a9-b56c-4f56-89cd-fe51ce3859eb\files\Wire_Transfer.docx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-709360a9-b56c-4f56-89cd-fe51ce3859eb\files\Wire_Transfer.docx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Windows\Installer\MSI2040.tmp

Filesize
601KB

MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
C:\Windows\Installer\MSI2040.tmp

Filesize
601KB

MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
memory/1140-144-0x00007FFC5EF40000-0x00007FFC5F976000-memory.dmp

Filesize
10.2MB

Download
memory/2364-140-0x00007FFC5EF40000-0x00007FFC5F976000-memory.dmp

Filesize
10.2MB

Download
memory/4980-134-0x0000000074D40000-0x0000000074E15000-memory.dmp

Filesize
852KB

Download