jigsaw | 86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

Resubmissions

30-04-2023 11:53

230430-n2jjxsbd4w 10

30-04-2023 11:50

230430-nzsd2shf24 10

Analysis

max time kernel
148s
max time network
96s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-04-2023 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jigsaw.exe
Size

283KB
MD5

2773e3dc59472296cb0024ba7715a64e
SHA1

27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256

3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512

6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
SSDEEP

6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\BlockSearch.tif.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\ConfirmSend.raw.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\MoveRepair.png.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\SearchMount.tif.fun	drpbx.exe

Executes dropped EXE 1 IoCs

pid	Process
1324	drpbx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.fun	drpbx.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar	drpbx.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\eula.rtf	drpbx.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_hyperlink.gif	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
908	chrome.exe
908	chrome.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1868	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	taskmgr.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: 33	2228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2228	AUDIODG.EXE
Token: 33	2228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2228	AUDIODG.EXE
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
1868	taskmgr.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe
908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1324	1472	jigsaw.exe	28
PID 1472 wrote to memory of 1324	1472	jigsaw.exe	28
PID 1472 wrote to memory of 1324	1472	jigsaw.exe	28
PID 908 wrote to memory of 1284	908	chrome.exe	32
PID 908 wrote to memory of 1284	908	chrome.exe	32
PID 908 wrote to memory of 1284	908	chrome.exe	32
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1648	908	chrome.exe	34
PID 908 wrote to memory of 1532	908	chrome.exe	35
PID 908 wrote to memory of 1532	908	chrome.exe	35
PID 908 wrote to memory of 1532	908	chrome.exe	35
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36
PID 908 wrote to memory of 1944	908	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
  2⤵
  - Modifies extensions of user files
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e89758,0x7fef6e89768,0x7fef6e89778
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:2
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:2
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1500 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3760 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3896 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3996 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4120 --field-trial-handle=1212,i,16904537886706982381,2762582135662300046,131072 /prefetch:8
  2⤵
  PID:2272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1584

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x184
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1b07b7753f3c944754b1790fd9694beb

SHA1
5c9036d395fc83e80f302e311b4f5e9c9ca0ea83

SHA256
b2f762c1c9be27df51ffa896115174ad0bddac04e5777e94a2fce03cf1c97c46

SHA512
b00e8158fc07f07db5e5e569e5a21b1bb269abac91f0bd25676d73b71e718978e1090d3263a12fe8a065e2f8ce9e74748c1165587a11640d9e0dc54fa540df44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ca831fdcd02176c2a84cf8f68789b26b

SHA1
ba54314c22bb34745f51960b02d729a8b18192d0

SHA256
1efbd75190f7d51c3fa111dfa1c2bfe4c9da13624faf8c82792ce6cc63be5012

SHA512
4b4f35cb3dbfbc785813aab50c8a7ab98f81c57051f101d2a52ff2a42ff0b146412809317e71fbb8a7da294d88b553b56909ab16b71b2d8b933f3e130dd9033d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
148KB

MD5
cf2340befcbc2d92f2c801aa1ad2f49b

SHA1
d7a27b6cfc2cb0a369af72bdab46a7870fe5f816

SHA256
e8e7713f43a53bc8cb706bc39e24c4febc60e9e566cdbd36f77b8f2578c938d5

SHA512
32b5dc270a40bd33bbc1bef9a7e434f138b1e574dc5a4f9dd3330b425135da227ac08a42c63cf0d897c337fda9a872a9ece878bd7a76a460bcbb1b9d7d6dad47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d1192d9b-24dc-409a-8422-86023211afe2.tmp

Filesize
148KB

MD5
6fcc7ccf8c76f0b5adf49316eef8cd7d

SHA1
1a1eaaa2d2ff39a540b9c84b5d0983997101e55d

SHA256
406ab0993adeb13a596aca8a64780b65a06a97e0be27eb8b671a769918088c28

SHA512
18fd25c474eae1bc6d12ec800a489a2b0e3389982d808d447e1a072f9bc899433953e02320298433456bce4e532bc150268d7910db90b9591509407e285901df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.fun

Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
memory/1324-63-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/1324-64-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/1324-62-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/1324-2186-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/1324-2188-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/1472-54-0x0000000001130000-0x0000000001180000-memory.dmp

Filesize
320KB

Download
memory/1472-55-0x00000000003E0000-0x0000000000418000-memory.dmp

Filesize
224KB

Download
memory/1868-83-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1868-82-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download