Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
09-10-2023 22:49
Static task
static1
Behavioral task
behavioral1
Sample
Compito matematica.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Compito matematica.exe
Resource
win10v2004-20230915-en
General
-
Target
Compito matematica.exe
-
Size
606KB
-
MD5
4e890ba5a4f6fd63727c0005daa654dd
-
SHA1
e9ade30c93942c3f5928522552dd01eb25a9e9db
-
SHA256
e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51
-
SHA512
177badec70b21ed1b94a8a235535249c94b72e21fc62bae1e8c32e44b9495006687a2ef7545256ddaa2c167d870515de45e9aea524e3081135fa901532af6477
-
SSDEEP
12288:x4XLj1zY8ejQ8BLXYTiMXrX0IHPfuTjaDt01zWY+EOinLAAf:GXFzYVMLz0sDD2+y8A
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Executes dropped EXE 1 IoCs
pid Process 3008 drpbx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" Compito matematica.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.math drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.math drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml.math drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg.math drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml drpbx.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg.math drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.math drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.math drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp drpbx.exe File created C:\Program Files\7-Zip\Lang\lv.txt.math drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.math drpbx.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.math drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.math drpbx.exe File created C:\Program Files\7-Zip\Lang\el.txt.math drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.math drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif.math drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js.math drpbx.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.math drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar.math drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp drpbx.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif.math drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.math drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.math drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar.math drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.math drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.math drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.math drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1572 wrote to memory of 3008 1572 Compito matematica.exe 28 PID 1572 wrote to memory of 3008 1572 Compito matematica.exe 28 PID 1572 wrote to memory of 3008 1572 Compito matematica.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compito matematica.exe"C:\Users\Admin\AppData\Local\Temp\Compito matematica.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Compito?matematica.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5000e8c41d4a15fb34d0be0dbb56e3778
SHA100c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA2568bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af
-
Filesize
606KB
MD54e890ba5a4f6fd63727c0005daa654dd
SHA1e9ade30c93942c3f5928522552dd01eb25a9e9db
SHA256e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51
SHA512177badec70b21ed1b94a8a235535249c94b72e21fc62bae1e8c32e44b9495006687a2ef7545256ddaa2c167d870515de45e9aea524e3081135fa901532af6477
-
Filesize
606KB
MD54e890ba5a4f6fd63727c0005daa654dd
SHA1e9ade30c93942c3f5928522552dd01eb25a9e9db
SHA256e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51
SHA512177badec70b21ed1b94a8a235535249c94b72e21fc62bae1e8c32e44b9495006687a2ef7545256ddaa2c167d870515de45e9aea524e3081135fa901532af6477
-
Filesize
16B
MD5cfdae8214d34112dbee6587664059558
SHA1f649f45d08c46572a9a50476478ddaef7e964353
SHA25633088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3