Analysis

  • max time kernel
    90s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 05:44

General

  • Target

    9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe

  • Size

    2.0MB

  • MD5

    22f2d4f9682ddadacf4fd6ead172e125

  • SHA1

    e9e6775d034c8c86218b95fe5de1455609aa5dc1

  • SHA256

    9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d

  • SHA512

    f821d6d89807a698e67eef75943d4e590be924bce3a1fbdaa7507641bce222c014e721f96a8a1083dff3c7d9e4445f62420949f5e0b3b9a97e2721415161ba7b

  • SSDEEP

    49152:Ye0jbW6GNjiSZTKAzkltDhTCcVX8saTtWycoJkqXfd+/9AH9783FGpv8EAQkcZ:YANuSZTKA0t9FFPEVJkqXf0Fi80kEXkc

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe
    "C:\Users\Admin\AppData\Local\Temp\9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe
      2⤵
      • Executes dropped EXE
      PID:5028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    57KB

    MD5

    aa99186615856b6ef5fa3a7d0057a59a

    SHA1

    e13d7116ba2015278ea774408f2481a1ca1cf048

    SHA256

    43d1f759ec091005b8620466ef164809180a536f89578baccd9f1a46cb5e956a

    SHA512

    6adb7b7b1061d0543a6f113b863bd506f2c62a6886ae42f605ef7b44e23b04c5930b6f8bbe17943eed3701a6f2b771f35e00bc267f4069d06ef884c6dfd61246

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    229KB

    MD5

    a8e04aa4f22dab4f29114a03ab87ef3f

    SHA1

    517b6bc44dc176ab1980903a98c8b9f4ca8ddfd5

    SHA256

    253ee28b94fcb244ea8716978884425adb87997510df4ee5edb29ab0d2cc2a16

    SHA512

    5b3e412ab1434defdbbfb5ee90702b115ab10b65c51d52781e048fe8f72e71409bdf6a6f2c5c8b9a3aa5bd2401aa984015e60b310494f68b7b2d7f006a9013a1

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    602KB

    MD5

    8c259d64a166727f092f0956b8e91e76

    SHA1

    b0deb99e43da9c1e861c62af399aa137901a5d0d

    SHA256

    e7558984fdca906b98d5e022eba734e403d2b0555d8722f7880469f60440cf44

    SHA512

    e086e3f95dbdc95223bbf03df4b806b9abae3e711a90aa6587c6e13a3f865279cf179abbcd163565b751b6e39ea7681b3885c2758d8800ec80a5c8cb8e3daa11

  • memory/1840-0-0x000001E0B20A0000-0x000001E0B22A2000-memory.dmp

    Filesize

    2.0MB

  • memory/1840-1-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp

    Filesize

    10.8MB

  • memory/1840-16-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp

    Filesize

    10.8MB

  • memory/5028-15-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp

    Filesize

    10.8MB

  • memory/5028-18-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp

    Filesize

    10.8MB