Overview

overview

10

Static

static

3efc575b6c...67.exe

windows10-2004-x64

10

Resubmissions

09-10-2023 22:48

231009-2rg51aah99 10

29-01-2023 17:35

230129-v55pwsha8v 10

30-11-2022 18:03

221130-wm9rkafc81 10

Analysis

  • max time kernel
    389s
  • max time network
    388s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467.exe

  • Size

    2.4MB

  • MD5

    c2c5848ec8ae11e84d42521c527f75ca

  • SHA1

    d8d98dff64297d4cf8a227a2c138efc4774942b2

  • SHA256

    3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467

  • SHA512

    10e3f210c2d98c090ce3a65be2ff70279c07c1bf3dcb06a48dbfaa34ab6471ed0e8f2a35fbf5bd0c9b61b1c55493c5042daa32556b4b28e22c28e8d80c5d0846

  • SSDEEP

    49152:3rKiRwG7r2ie/XMK+kLg7SdqnCvIUdJi0l2Css5qq2nY4/gX1aNnUm5vL:3RXK+b7ScCvFPx3Kr48UmN

Score
10/10
jigsawpersistenceransomware

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 40 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467.exe
    "C:\Users\Admin\AppData\Local\Temp\3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:3876
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4148
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:400

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      Filesize

      2.4MB

      MD5

      c2c5848ec8ae11e84d42521c527f75ca

      SHA1

      d8d98dff64297d4cf8a227a2c138efc4774942b2

      SHA256

      3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467

      SHA512

      10e3f210c2d98c090ce3a65be2ff70279c07c1bf3dcb06a48dbfaa34ab6471ed0e8f2a35fbf5bd0c9b61b1c55493c5042daa32556b4b28e22c28e8d80c5d0846

      Download Submit
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      Filesize

      2.4MB

      MD5

      c2c5848ec8ae11e84d42521c527f75ca

      SHA1

      d8d98dff64297d4cf8a227a2c138efc4774942b2

      SHA256

      3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467

      SHA512

      10e3f210c2d98c090ce3a65be2ff70279c07c1bf3dcb06a48dbfaa34ab6471ed0e8f2a35fbf5bd0c9b61b1c55493c5042daa32556b4b28e22c28e8d80c5d0846

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
      Filesize

      2.4MB

      MD5

      c2c5848ec8ae11e84d42521c527f75ca

      SHA1

      d8d98dff64297d4cf8a227a2c138efc4774942b2

      SHA256

      3efc575b6cfd36e57a7b244a860160a35e76c0945bdad1bd79294a1816887467

      SHA512

      10e3f210c2d98c090ce3a65be2ff70279c07c1bf3dcb06a48dbfaa34ab6471ed0e8f2a35fbf5bd0c9b61b1c55493c5042daa32556b4b28e22c28e8d80c5d0846

      Download Submit
    • memory/3876-141-0x0000000000880000-0x0000000000882000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3876-143-0x00000000FEBC0000-0x00000000FEF91000-memory.dmp
      Filesize

      3.8MB

      Download
    • memory/3876-148-0x0000000074AC0000-0x0000000075071000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3876-147-0x0000000000880000-0x000000000123C000-memory.dmp
      Filesize

      9.7MB

      Download
    • memory/3876-136-0x0000000000000000-mapping.dmp
      Download
    • memory/3876-145-0x0000000074AC0000-0x0000000075071000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3876-144-0x0000000000880000-0x000000000123C000-memory.dmp
      Filesize

      9.7MB

      Download
    • memory/4536-139-0x0000000000EC0000-0x000000000187C000-memory.dmp
      Filesize

      9.7MB

      Download
    • memory/4536-140-0x00000000FEDE0000-0x00000000FF1B1000-memory.dmp
      Filesize

      3.8MB

      Download
    • memory/4536-142-0x0000000074AC0000-0x0000000075071000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4536-132-0x0000000000EC0000-0x000000000187C000-memory.dmp
      Filesize

      9.7MB

      Download
    • memory/4536-133-0x00000000FEDE0000-0x00000000FF1B1000-memory.dmp
      Filesize

      3.8MB

      Download
    • memory/4536-134-0x0000000000EC0000-0x0000000000EC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4536-135-0x0000000074AC0000-0x0000000075071000-memory.dmp
      Filesize

      5.7MB

      Download