Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 05:44
Static task
static1
Behavioral task
behavioral1
Sample
9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe
Resource
win10v2004-20231215-en
General
-
Target
9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe
-
Size
2.0MB
-
MD5
22f2d4f9682ddadacf4fd6ead172e125
-
SHA1
e9e6775d034c8c86218b95fe5de1455609aa5dc1
-
SHA256
9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d
-
SHA512
f821d6d89807a698e67eef75943d4e590be924bce3a1fbdaa7507641bce222c014e721f96a8a1083dff3c7d9e4445f62420949f5e0b3b9a97e2721415161ba7b
-
SSDEEP
49152:Ye0jbW6GNjiSZTKAzkltDhTCcVX8saTtWycoJkqXfd+/9AH9783FGpv8EAQkcZ:YANuSZTKA0t9FFPEVJkqXf0Fi80kEXkc
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe -
Executes dropped EXE 1 IoCs
pid Process 5028 drpbx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" 9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1840 wrote to memory of 5028 1840 9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe 84 PID 1840 wrote to memory of 5028 1840 9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe"C:\Users\Admin\AppData\Local\Temp\9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\9004e4161cc50ac62f76988aefe4504df4fd636d12708630e825e0c7b74cd12d.exe2⤵
- Executes dropped EXE
PID:5028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5aa99186615856b6ef5fa3a7d0057a59a
SHA1e13d7116ba2015278ea774408f2481a1ca1cf048
SHA25643d1f759ec091005b8620466ef164809180a536f89578baccd9f1a46cb5e956a
SHA5126adb7b7b1061d0543a6f113b863bd506f2c62a6886ae42f605ef7b44e23b04c5930b6f8bbe17943eed3701a6f2b771f35e00bc267f4069d06ef884c6dfd61246
-
Filesize
229KB
MD5a8e04aa4f22dab4f29114a03ab87ef3f
SHA1517b6bc44dc176ab1980903a98c8b9f4ca8ddfd5
SHA256253ee28b94fcb244ea8716978884425adb87997510df4ee5edb29ab0d2cc2a16
SHA5125b3e412ab1434defdbbfb5ee90702b115ab10b65c51d52781e048fe8f72e71409bdf6a6f2c5c8b9a3aa5bd2401aa984015e60b310494f68b7b2d7f006a9013a1
-
Filesize
602KB
MD58c259d64a166727f092f0956b8e91e76
SHA1b0deb99e43da9c1e861c62af399aa137901a5d0d
SHA256e7558984fdca906b98d5e022eba734e403d2b0555d8722f7880469f60440cf44
SHA512e086e3f95dbdc95223bbf03df4b806b9abae3e711a90aa6587c6e13a3f865279cf179abbcd163565b751b6e39ea7681b3885c2758d8800ec80a5c8cb8e3daa11