jigsaw | 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

Resubmissions

09-10-2023 22:48

231009-2rgt8sah98 10

28-12-2022 03:31

221228-d285gacd4w 10

Analysis

max time kernel
157s
max time network
160s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
28-12-2022 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jigsaw.exe
Size

283KB
MD5

2773e3dc59472296cb0024ba7715a64e
SHA1

27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256

3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512

6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
SSDEEP

6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Executes dropped EXE 1 IoCs

pid	Process
2628	drpbx.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\DisconnectGroup.tif.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\MountApprove.png.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\PublishDebug.tif.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\ReceiveRename.png.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\SuspendInitialize.png.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\UseUnlock.tif.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\WriteUnblock.png.fun	drpbx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-40.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\freecell_icon.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.surprise.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.scale-100.png	drpbx.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\BuildInfo.xml	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ads_win10_300x250.scale-100.jpg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-16.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-72_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8576_40x40x32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\LargeLogo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GameEnd\gameEnd_preview_image.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.surprise.small.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo1.targetsize-36.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6365_20x20x32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\SplashScreen.scale-150.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectMedTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-200.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2410608096"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2410608096"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31005301"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d35590751ad901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31005301"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BAE43283-8668-11ED-A7A4-7A2224409366} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ed4990751ad901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007c7a5b8559fa146ab86351721535fbf0000000002000000000010660000000100002000000027e6792797a12f610499bcdd44b0289feaf34e6dacea1fcf305a107ea0189d5c000000000e80000000020000200000007bc59e4928436ecebea98a1d5eef035bcd942a429acda9eb7512e9c1c9317142200000002d701d81c5e74d508f5b1ec325d8545869e82d4631ab85bc37f0d2f800a8bc66400000008017cab57c2df3bfb214a1b38183f6e7f425487dea270a90c1fc364ab8421db1ef7f80b1007d7a9b6bae626b202c45f10d8be096ca03d4223c21894177dfb27c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007c7a5b8559fa146ab86351721535fbf0000000002000000000010660000000100002000000045115ff2c151809ba8e2a3a115530086e7bdb1da013d185af107fef17c5bbad3000000000e8000000002000020000000ae16aa325e091729d80a78a84741cb6555f3646fe07ee5509077ac68dacb34862000000075ddd58563718d0fcd44de53b2e8d12795b4a433c8e2092d5d241e21e9a370a640000000b5f1e46fbf908958e74bc98d65f26b48ab39811282500276b5f585d1466c2b0da700c913453c0cef3d1efd639613c10f447d866c484864541483c2565f99cc81	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	firefox.exe
Token: SeDebugPrivilege	4812	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4692	iexplore.exe
4812	firefox.exe
4812	firefox.exe
4812	firefox.exe
4812	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4812	firefox.exe
4812	firefox.exe
4812	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4692	iexplore.exe
4692	iexplore.exe
3812	IEXPLORE.EXE
3812	IEXPLORE.EXE
4812	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2628	2576	jigsaw.exe	66
PID 2576 wrote to memory of 2628	2576	jigsaw.exe	66
PID 4692 wrote to memory of 3812	4692	iexplore.exe	73
PID 4692 wrote to memory of 3812	4692	iexplore.exe	73
PID 4692 wrote to memory of 3812	4692	iexplore.exe	73
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4760 wrote to memory of 4812	4760	firefox.exe	75
PID 4812 wrote to memory of 4124	4812	firefox.exe	77
PID 4812 wrote to memory of 4124	4812	firefox.exe	77
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 3300	4812	firefox.exe	78
PID 4812 wrote to memory of 1832	4812	firefox.exe	79
PID 4812 wrote to memory of 1832	4812	firefox.exe	79
PID 4812 wrote to memory of 1832	4812	firefox.exe	79
PID 4812 wrote to memory of 1832	4812	firefox.exe	79
PID 4812 wrote to memory of 1832	4812	firefox.exe	79

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops file in Program Files directory
  PID:2628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WatchUpdate.xsl
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.0.2089460018\992659708" -parentBuildID 20200403170909 -prefsHandle 1356 -prefMapHandle 1348 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 1604 gpu
    3⤵
    PID:4124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.3.1391828529\852641145" -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3208 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 3112 tab
    3⤵
    PID:3300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4812.13.1877407806\402470490" -childID 2 -isForBrowser -prefsHandle 3800 -prefMapHandle 3796 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4812 "\\.\pipe\gecko-crash-server-pipe.4812" 3808 tab
    3⤵
    PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
memory/2576-118-0x00007FF940290000-0x00007FF940CC3000-memory.dmp

Filesize
10.2MB

Download
memory/2628-122-0x00007FF940290000-0x00007FF940CC3000-memory.dmp

Filesize
10.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads