Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe
Resource
win10v2004-20231215-en
General
-
Target
20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe
-
Size
65KB
-
MD5
269de662c8b796f35e614a1aa807d769
-
SHA1
43f32f0e0d952dba0bc2cb3c0657291f0930ec8a
-
SHA256
20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7
-
SHA512
4d99243d079668e08342dc015e8f0749b452fd0ae4a1f7b7d047a1b499289ca6044691641db661f90978082e8262e43bcb6230f9e87e0f7f770d568d9b381009
-
SSDEEP
1536:CjNlIZUY1sIzYi7D10Py7kCZnA37TuPAn:JZUYxYID6DUnArTuC
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe -
Executes dropped EXE 1 IoCs
pid Process 4576 drpbx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 icanhazip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4864 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe Token: SeDebugPrivilege 4576 drpbx.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4864 wrote to memory of 4576 4864 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe 31 PID 4864 wrote to memory of 4576 4864 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe 31 PID 4864 wrote to memory of 4576 4864 20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe"C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\20a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5269de662c8b796f35e614a1aa807d769
SHA143f32f0e0d952dba0bc2cb3c0657291f0930ec8a
SHA25620a637cd6394c41636133b24d78d52a0e091c8012cee9dbf6c4060656f6c7cb7
SHA5124d99243d079668e08342dc015e8f0749b452fd0ae4a1f7b7d047a1b499289ca6044691641db661f90978082e8262e43bcb6230f9e87e0f7f770d568d9b381009