Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 05:43

General

  • Target

    0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811.exe

  • Size

    291KB

  • MD5

    5a5c745bf3e97fe2be01880132662f28

  • SHA1

    924af25d379fc88319bc55958db898dbf5054309

  • SHA256

    0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811

  • SHA512

    151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10

  • SSDEEP

    6144:mdSK04ETTZ+4TBpvjLC4Ho/C1rCyPucrFqBFTbL39rqHRs8:moL4EnU4T/vjLTHtrCWurTpruF

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Renames multiple (2140) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811.exe
    "C:\Users\Admin\AppData\Local\Temp\0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:356
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.zemblax

    Filesize

    160B

    MD5

    03186ca0229630a6928fa98ef4c3391b

    SHA1

    8deed189ee4ae64db770d5755f9c199c8213eaa9

    SHA256

    f171defc92b8fda921aae4bd1696d3252effc17dff52b567e19559ab29f287bc

    SHA512

    5a712127004b6506fbe562f2eb402e8a40844cb4a6edeb010c833bf552be784cf4ce560cd0235367823d7f77c38e80b83e2f3cafb6e1d613944a9b38c8f886ab

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zemblax

    Filesize

    12KB

    MD5

    3e91afea42e65b6ef2434693f1307f99

    SHA1

    2e529680a82d0847d10a8e6290c92b161d57f98e

    SHA256

    65cfafbad3fb6c3eb46b39eb7e1ec5437d1a2c85f9b063db04efa6f05ec3a822

    SHA512

    059405e8602f8fdc572f4dc00b9757d913b1a6de5989d33dcea1116534cad6c85e581e25337f23a87bcb6b81281d74a3e1a29dbf8bde9dd1174a6a63d3524607

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zemblax

    Filesize

    8KB

    MD5

    cf75643ba7d46ff26bdf871bddd23f9f

    SHA1

    0d21764fbe1ecbfd73ba7d150ff7be9a9fd9a9e3

    SHA256

    37ce802664c0715ea1b528b0bd16fe0e3bcbc008e115a1e257be102ad255bbc7

    SHA512

    8b44dbf2028e0b3d51addf87eeeba15abf57660aaeb5259b4a97adb06b83c4a41012f84cc28b3f4072228016c75fd1b31e4e5964f869c13e2bf5ab6ad3ec3f7a

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    88KB

    MD5

    cee3c438100216fb620cde04a1e1cc9d

    SHA1

    e291f698314f51c29393b60616096254c6d2ad5f

    SHA256

    ac891f888ef3267bbb2e56aae4603d747fe3d1e30e2c1f04a45d250d0e66083a

    SHA512

    46b8b65c492326f1601c9e824d849f44dd44123418ebec76e5b78824f30128aa8aaf1567b9505e97ee9c98ae1d36d2e2a5ab3df71af1eba43331848f26156766

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    41KB

    MD5

    72a7db2a42482520368667b9cf70f63f

    SHA1

    3bb9855887059cb908a59f4ba2746fefd7be1e7a

    SHA256

    a41fb30fb15f48ab6f057a728bac5478166fd9886ed5625feee98e34208ab185

    SHA512

    b4a48f150da90aed367d003c0ec626c4502fae845bf2ad28e2376996a18b67b7d355890615dfbbf85808d931f20b1bb392f33d8e6db53193331d08ddd3bf0361

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.zemblax

    Filesize

    16B

    MD5

    826ba14567ed55f5b8379572f2f4c18f

    SHA1

    058d2dd1512aff32324c5c82f56ee6bb3db11fdb

    SHA256

    485e5116cf106b073e5a4277b6f73ebbc97546aef23bccae4ddd5cfd7ca9ca16

    SHA512

    9256d414e06142134d260206fd763fdcd0002e66a2ece26ed295a1c5f761659b545bb7c81fefa1d0a72478e3dd71343dd653e65bdf66954c4991e3ee0bb57911

  • \Users\Admin\AppData\Local\Drpbx\drpbx.exe

    Filesize

    115KB

    MD5

    f9ccfb53bdc125ad4f45ef73d025449d

    SHA1

    33fdb7593b84b580752d8298a5e1a143a1d20af0

    SHA256

    23b508143d06098c3930b148b5270b5cddd52ba4ce3cc9f718ef2a7b0ec1cc95

    SHA512

    93247f2d72fc4976af7a81aba26bf46767a973e91143f375d24214d18732a065ae8dc8d328053693022610decff63dc2a91944c700dfc53f3ad099b415aa8fad

  • memory/356-3-0x0000000001F70000-0x0000000001FB0000-memory.dmp

    Filesize

    256KB

  • memory/356-27-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-67-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-65-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-29-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-63-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-31-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-5-0x0000000001F70000-0x0000000001FB0000-memory.dmp

    Filesize

    256KB

  • memory/356-4-0x0000000001F70000-0x0000000001FB0000-memory.dmp

    Filesize

    256KB

  • memory/356-9-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-33-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-1-0x0000000074A30000-0x0000000074FDB000-memory.dmp

    Filesize

    5.7MB

  • memory/356-172-0x0000000074A30000-0x0000000074FDB000-memory.dmp

    Filesize

    5.7MB

  • memory/356-2-0x0000000001F70000-0x0000000001FB0000-memory.dmp

    Filesize

    256KB

  • memory/356-57-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-37-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-35-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-61-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-59-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-55-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-53-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-51-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-49-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-47-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-45-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-43-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-41-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-39-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-0-0x0000000074A30000-0x0000000074FDB000-memory.dmp

    Filesize

    5.7MB

  • memory/356-164-0x0000000004710000-0x0000000004711000-memory.dmp

    Filesize

    4KB

  • memory/356-69-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-25-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-23-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-21-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-19-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-17-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-15-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-13-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-11-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-7-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/356-6-0x0000000004520000-0x0000000004553000-memory.dmp

    Filesize

    204KB

  • memory/1252-173-0x0000000074A30000-0x0000000074FDB000-memory.dmp

    Filesize

    5.7MB

  • memory/1252-584-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-2494-0x00000000065B0000-0x00000000066B0000-memory.dmp

    Filesize

    1024KB

  • memory/1252-338-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-581-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-580-0x0000000074A30000-0x0000000074FDB000-memory.dmp

    Filesize

    5.7MB

  • memory/1252-582-0x0000000074A30000-0x0000000074FDB000-memory.dmp

    Filesize

    5.7MB

  • memory/1252-2498-0x00000000065B0000-0x00000000066B0000-memory.dmp

    Filesize

    1024KB

  • memory/1252-179-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-337-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

    Filesize

    4KB

  • memory/1252-183-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-586-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-181-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-177-0x0000000074A30000-0x0000000074FDB000-memory.dmp

    Filesize

    5.7MB

  • memory/1252-174-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-2493-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-583-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-2497-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB

  • memory/1252-585-0x0000000002160000-0x00000000021A0000-memory.dmp

    Filesize

    256KB