Resubmissions

17-12-2023 09:25

231217-ld4tvafee8 10

17-12-2023 09:25

231217-ldtc4sfee7 10

17-12-2023 03:55

231217-eg3bvsdgbm 10

Analysis

  • max time kernel
    127s
  • max time network
    131s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-12-2023 09:25

General

  • Target

    jigsaw.exe

  • Size

    283KB

  • MD5

    2773e3dc59472296cb0024ba7715a64e

  • SHA1

    27d99fbca067f478bb91cdbcb92f13a828b00859

  • SHA256

    3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

  • SHA512

    6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

  • SSDEEP

    6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
    "C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
      2⤵
      • Executes dropped EXE
      PID:4396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    128KB

    MD5

    944df883734460748224ee85ca87b91e

    SHA1

    9daac3bd92354c3fbea3e15fa46d08fbda4213f6

    SHA256

    6e4402df53a35149f772e9876e194618ba9d51445ef18d7ed924c198b0eddf01

    SHA512

    620806e6d040952a23fa8bb97d3e8cff4a76764ec327255ad5142323f6aa8225f9d2fa6707ae8e243cc45856cdd2cc5556dc1054a6e6bdd71da381938bf1775e

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    58KB

    MD5

    e73d9dc6aae4ac0f7ec5b1c491e9067d

    SHA1

    0556eb532d0ca507c52a9da6399185ac386be4a3

    SHA256

    c40ea2569f9df9115603bd4458e5f74ad61376b8f553c613692b1361d85bcc7c

    SHA512

    9722f6650b35560738731831532fc088ff7b11dad4ee8c12b60842c6118a6c5fe5117fabb142a195583348d04f125223aaa4b228564004b9ecaed3c78a303b69

  • memory/3612-3-0x0000000001750000-0x0000000001788000-memory.dmp

    Filesize

    224KB

  • memory/3612-0-0x00007FF86BE30000-0x00007FF86C7D0000-memory.dmp

    Filesize

    9.6MB

  • memory/3612-4-0x000000001C400000-0x000000001C8CE000-memory.dmp

    Filesize

    4.8MB

  • memory/3612-5-0x000000001BE10000-0x000000001BEAC000-memory.dmp

    Filesize

    624KB

  • memory/3612-2-0x00007FF86BE30000-0x00007FF86C7D0000-memory.dmp

    Filesize

    9.6MB

  • memory/3612-1-0x00000000030E0000-0x00000000030F0000-memory.dmp

    Filesize

    64KB

  • memory/3612-14-0x00007FF86BE30000-0x00007FF86C7D0000-memory.dmp

    Filesize

    9.6MB

  • memory/4396-15-0x00000000021D0000-0x00000000021E0000-memory.dmp

    Filesize

    64KB

  • memory/4396-13-0x00007FF86BE30000-0x00007FF86C7D0000-memory.dmp

    Filesize

    9.6MB

  • memory/4396-16-0x00007FF86BE30000-0x00007FF86C7D0000-memory.dmp

    Filesize

    9.6MB

  • memory/4396-17-0x00007FF86BE30000-0x00007FF86C7D0000-memory.dmp

    Filesize

    9.6MB

  • memory/4396-18-0x00000000021D0000-0x00000000021E0000-memory.dmp

    Filesize

    64KB