jigsaw | 47145ecc729d25e288a6b7c512ec15c9dd07e36149578a882b38f772248d8174

Resubmissions

19-07-2024 15:23

240719-ssp3ka1dng 10

09-10-2023 22:48

231009-2rhrjagh71 10

29-01-2023 17:46

230129-wchv4afh63 10

14-07-2022 07:49

220714-jn2fcsdbgr 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2023 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Statement.pdf.msi
Size

1.1MB
MD5

a362de111d5dff6bcdeaf4717af268b6
SHA1

2e5104db35871c5bc7da2035d8b91398bb5d5e0e
SHA256

0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca
SHA512

b48a18158a0dff9a9012952c467fcf69b8bfc53ceeacaf32a90fc4b7f3afd34465e676b282fa87f3c5c85b4780baf96cc754dcdeef77ba5330fa8c4fd1d20b72
SSDEEP

12288:w6yilXxt+i9uJB5XladYq15U+F54Sy3JItYzpm+zF4KSlgNY/k09L4:byKtb9gXdqjF54/JuOplFB09

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	Wire_Transfer.docx.exe

Executes dropped EXE 2 IoCs

pid	Process
4908	Wire_Transfer.docx.exe
3820	drpbx.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	MsiExec.exe
1872	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Wire_Transfer.docx.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.fun	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookPromoTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80_altform-lightunplated.png	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\ReadMe.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-colorize.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\offlineUtilities.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2_thumb.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated.png	drpbx.exe
File created	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt.fun	drpbx.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\DemoModeInk.dat	drpbx.exe
File created	C:\Program Files\OptimizeWait.dwg.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.boot.tree.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\Blank_PhotosSplashWideTile.png	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.HCBlack.png	drpbx.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-16_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-32_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_40x40x32.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\256x256.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-16_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office32ww.msi.16.x-none.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44LogoExtensions.targetsize-256.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-60_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\SaturationGradient.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36_altform-unplated.png	drpbx.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{6CC1D7E5-F55B-405E-8E29-8BF624B41193}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57c96a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c96a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIE2FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE37C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA84.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000108cdb6a6ae911030000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000108cdb6a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900108cdb6a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d108cdb6a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000108cdb6a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3716	msiexec.exe
3716	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	860	msiexec.exe
Token: SeSecurityPrivilege	3716	msiexec.exe
Token: SeCreateTokenPrivilege	860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	860	msiexec.exe
Token: SeLockMemoryPrivilege	860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	860	msiexec.exe
Token: SeMachineAccountPrivilege	860	msiexec.exe
Token: SeTcbPrivilege	860	msiexec.exe
Token: SeSecurityPrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeLoadDriverPrivilege	860	msiexec.exe
Token: SeSystemProfilePrivilege	860	msiexec.exe
Token: SeSystemtimePrivilege	860	msiexec.exe
Token: SeProfSingleProcessPrivilege	860	msiexec.exe
Token: SeIncBasePriorityPrivilege	860	msiexec.exe
Token: SeCreatePagefilePrivilege	860	msiexec.exe
Token: SeCreatePermanentPrivilege	860	msiexec.exe
Token: SeBackupPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeShutdownPrivilege	860	msiexec.exe
Token: SeDebugPrivilege	860	msiexec.exe
Token: SeAuditPrivilege	860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	860	msiexec.exe
Token: SeChangeNotifyPrivilege	860	msiexec.exe
Token: SeRemoteShutdownPrivilege	860	msiexec.exe
Token: SeUndockPrivilege	860	msiexec.exe
Token: SeSyncAgentPrivilege	860	msiexec.exe
Token: SeEnableDelegationPrivilege	860	msiexec.exe
Token: SeManageVolumePrivilege	860	msiexec.exe
Token: SeImpersonatePrivilege	860	msiexec.exe
Token: SeCreateGlobalPrivilege	860	msiexec.exe
Token: SeBackupPrivilege	3376	vssvc.exe
Token: SeRestorePrivilege	3376	vssvc.exe
Token: SeAuditPrivilege	3376	vssvc.exe
Token: SeBackupPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeBackupPrivilege	2328	srtasks.exe
Token: SeRestorePrivilege	2328	srtasks.exe
Token: SeSecurityPrivilege	2328	srtasks.exe
Token: SeTakeOwnershipPrivilege	2328	srtasks.exe
Token: SeBackupPrivilege	2328	srtasks.exe
Token: SeRestorePrivilege	2328	srtasks.exe
Token: SeSecurityPrivilege	2328	srtasks.exe
Token: SeTakeOwnershipPrivilege	2328	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
860	msiexec.exe
860	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 2328	3716	msiexec.exe	100
PID 3716 wrote to memory of 2328	3716	msiexec.exe	100
PID 3716 wrote to memory of 2304	3716	msiexec.exe	102
PID 3716 wrote to memory of 2304	3716	msiexec.exe	102
PID 3716 wrote to memory of 2304	3716	msiexec.exe	102
PID 2304 wrote to memory of 1076	2304	MsiExec.exe	103
PID 2304 wrote to memory of 1076	2304	MsiExec.exe	103
PID 2304 wrote to memory of 1076	2304	MsiExec.exe	103
PID 2304 wrote to memory of 4908	2304	MsiExec.exe	106
PID 2304 wrote to memory of 4908	2304	MsiExec.exe	106
PID 4908 wrote to memory of 3820	4908	Wire_Transfer.docx.exe	107
PID 4908 wrote to memory of 3820	4908	Wire_Transfer.docx.exe	107
PID 3716 wrote to memory of 1872	3716	msiexec.exe	108
PID 3716 wrote to memory of 1872	3716	msiexec.exe	108
PID 3716 wrote to memory of 1872	3716	msiexec.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Statement.pdf.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F25AF0AEB8D7795F47E0864A820A0BF9
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\expand.exe
    "C:\Windows\System32\expand.exe" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\MW-7ffd7692-19c1-4690-b0d6-fadbbd94996d\files\Wire_Transfer.docx.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-7ffd7692-19c1-4690-b0d6-fadbbd94996d\files\Wire_Transfer.docx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\MW-7ffd7692-19c1-4690-b0d6-fadbbd94996d\files\Wire_Transfer.docx.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FDBC39F9E3D5322DD6348396B416D785 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7ffd7692-19c1-4690-b0d6-fadbbd94996d\files.cab

Filesize
282KB

MD5
807718ec27e1cdf76ea45291e0b73dcb

SHA1
43fd298dff26c7cc2180d5b198ef23e0c37d578e

SHA256
1001621d1b1d3cbba8d28644b24d7c4ff165c13ab2850661b3ed863efb6d1759

SHA512
a01444e070e6cbcf6b0aeb00c54469ea2dcf36e841c9179bb8a8d4c316000ebab6cef72cfe21467cf283bbed8372ce4787f60296c985ab831c49e3d18646da43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7ffd7692-19c1-4690-b0d6-fadbbd94996d\files\Wire_Transfer.docx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7ffd7692-19c1-4690-b0d6-fadbbd94996d\files\Wire_Transfer.docx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7ffd7692-19c1-4690-b0d6-fadbbd94996d\msiwrapper.ini

Filesize
513B

MD5
dba2da3de6afd85e4fede30e2ce89ee1

SHA1
cd7014993821659c8df31b16289aa56868d1958d

SHA256
05e945640267978857b146530761d56d548eead8489a55ccaaa2894aae7e7e57

SHA512
983251fe8d1a0f52bd77074617c56b94c53186d31abc83cfb449612e06a3c4a08fec4d55df487ba09a8677817da24c0abdc45113af8b4f7c820275ad6386b101

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7ffd7692-19c1-4690-b0d6-fadbbd94996d\msiwrapper.ini

Filesize
513B

MD5
dba2da3de6afd85e4fede30e2ce89ee1

SHA1
cd7014993821659c8df31b16289aa56868d1958d

SHA256
05e945640267978857b146530761d56d548eead8489a55ccaaa2894aae7e7e57

SHA512
983251fe8d1a0f52bd77074617c56b94c53186d31abc83cfb449612e06a3c4a08fec4d55df487ba09a8677817da24c0abdc45113af8b4f7c820275ad6386b101

Download Submit
C:\Windows\Installer\MSICA84.tmp

Filesize
601KB

MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
C:\Windows\Installer\MSICA84.tmp

Filesize
601KB

MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
C:\Windows\Installer\MSIE37C.tmp

Filesize
601KB

MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
C:\Windows\Installer\MSIE37C.tmp

Filesize
601KB

MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
12fa1b42c1106a35ccf530ce6c2f6204

SHA1
9a8a25b253497847c53a55e2aaee3484170dbfc9

SHA256
2498e811b027137531d60ef34fa011c21281b3b4c0695fda70f387557c04fcb7

SHA512
11d6ec11c57a81018acc452477b39be24bb904e5467686d1f479181ab0aa5b0079d25b2d6e219bd168fd4a5df4877c92ddb3831bc17881c6c942e60f2d4bfe9b

Download Submit
\??\Volume{6adb8c10-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{54652ee5-afa1-4d27-886a-480ae741af23}_OnDiskSnapshotProp

Filesize
6KB

MD5
00bd7b244a89ada17249aa5f29dbc2b6

SHA1
66e970ed87ef88e0a2e8533afa2f58ba4ae11a76

SHA256
ae18ce65d897a99f59c0cf5af25cf3869e6d3b0bd19b2afba01c221fc7095c54

SHA512
e776a504ca44b1cbb8d01ba6b4e382689bbbb736d72dfad91bcfc056f58d3d2ade302e4439c878114e65cabd2bc73920554e6e02d48ad80751e87ac9df0e2b3e

Download Submit
memory/1872-75-0x00000000749E0000-0x0000000074AB5000-memory.dmp

Filesize
852KB

Download
memory/2304-14-0x00000000749E0000-0x0000000074AB5000-memory.dmp

Filesize
852KB

Download
memory/3820-86-0x00000000015C0000-0x00000000015C8000-memory.dmp

Filesize
32KB

Download
memory/3820-68-0x00000000017C0000-0x00000000017D0000-memory.dmp

Filesize
64KB

Download
memory/3820-90-0x00000000017C0000-0x00000000017D0000-memory.dmp

Filesize
64KB

Download
memory/3820-69-0x00007FF8AC580000-0x00007FF8ACF21000-memory.dmp

Filesize
9.6MB

Download
memory/3820-89-0x00007FF8AC580000-0x00007FF8ACF21000-memory.dmp

Filesize
9.6MB

Download
memory/3820-66-0x00007FF8AC580000-0x00007FF8ACF21000-memory.dmp

Filesize
9.6MB

Download
memory/4908-49-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/4908-47-0x00007FF8AC580000-0x00007FF8ACF21000-memory.dmp

Filesize
9.6MB

Download
memory/4908-48-0x000000001B9F0000-0x000000001BEBE000-memory.dmp

Filesize
4.8MB

Download
memory/4908-50-0x00007FF8AC580000-0x00007FF8ACF21000-memory.dmp

Filesize
9.6MB

Download
memory/4908-51-0x000000001BEC0000-0x000000001BF5C000-memory.dmp

Filesize
624KB

Download
memory/4908-67-0x00007FF8AC580000-0x00007FF8ACF21000-memory.dmp

Filesize
9.6MB

Download