Overview

overview

10

Static

static

10

992149ca22...a5.exe

windows7-x64

10

992149ca22...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2024, 05:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    992149ca2244ebd9ec96f01f29c73acce0dc5af609734077aea5978b5ce203a5.exe

  • Size

    2.1MB

  • MD5

    8cae61eff562d9b28d521900692bf516

  • SHA1

    a38dd36172e145186b776bea4f5f2773504c68b0

  • SHA256

    992149ca2244ebd9ec96f01f29c73acce0dc5af609734077aea5978b5ce203a5

  • SHA512

    ff21a35638aaef98cf95e776d67a89cdf8ce98fd17f5f5ad52ed89ffa1b022f2e928061efb1543cbb112f750f6002ef62e08a68b7d047d19959acb06ffbc8565

  • SSDEEP

    49152:amer6a3OsA3P+SJfWDzG5nEm6oPTOSi2z7BGsW:aHP3OP32SJODqKi6/IBGl

Score
10/10
jigsawpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw
  • Detects executables manipulated with Fody 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\992149ca2244ebd9ec96f01f29c73acce0dc5af609734077aea5978b5ce203a5.exe
    "C:\Users\Admin\AppData\Local\Temp\992149ca2244ebd9ec96f01f29c73acce0dc5af609734077aea5978b5ce203a5.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Users\Admin\AppData\Local\OfficeUpdate\MicrosoftWordUpdate.exe
      "C:\Users\Admin\AppData\Local\OfficeUpdate\MicrosoftWordUpdate.exe" C:\Users\Admin\AppData\Local\Temp\992149ca2244ebd9ec96f01f29c73acce0dc5af609734077aea5978b5ce203a5.exe
      2⤵
      • Executes dropped EXE
      PID:400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\OfficeUpdate\MicrosoftWordUpdate.exe
    Filesize

    121KB

    MD5

    4124a18b5eda907516d8fa21ed94481f

    SHA1

    9fe0eac4b26a9295976a7f188c642b3f6459a511

    SHA256

    db71ea9832065dd1989e0d81612fb084bdd002c6dfa160eaa47b86c1581c1e3e

    SHA512

    a12c7b8ae07cfa8c11d2232a8f499739ee454aa959b72c4e9c0e7e058eb915e7014c572f61cac2b1a4f630f35c1ff3064041896a55a57be48a2de6591ec6a02b

    Download Submit

  • C:\Users\Admin\AppData\Local\OfficeUpdate\MicrosoftWordUpdate.exe
    Filesize

    230KB

    MD5

    658041ef865f65de1f91faa7e79e1fbb

    SHA1

    b0d989fd4c06414cfb371120aff926957f831a8e

    SHA256

    5cc1068b8bc2a532442d9a956dc424a7512c301f6c3cda1208795b4666c008b0

    SHA512

    7777208a57da263c803ee9fcb3f8ba9b56595e445d5e01063c8a36d6596bfb96f7c39474a4e0439dbb9087927723b61ffaa68298ec6f8e918bccab3e78aebaf0

    Download Submit

  • C:\Users\Admin\AppData\Local\OfficeUpdate\MicrosoftWordUpdate.exe
    Filesize

    238KB

    MD5

    cccb0180ddca03dd6ea722a976c9f7e2

    SHA1

    5ea461fef50663ae97449d63f40558ae073c2a65

    SHA256

    cdd974988336d9ca5e3c97638d480b5cda5bec6be061b98f56862dff2422baa7

    SHA512

    84582180a0fa67d48a3b6d684f5108e3641435387fca83378c2e3bf2456966c022b22c4fa06fa8651e8a361be9a9b59a8c29b0d6e8261e3f7c88419c49c20c8b

    Download Submit

  • memory/400-25-0x00007FFA4A8A0000-0x00007FFA4B241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/400-22-0x0000000001580000-0x0000000001588000-memory.dmp

    Filesize

    32KB

    Download

  • memory/400-33-0x00000000017E0000-0x00000000017F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-32-0x00000000017E0000-0x00000000017F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-31-0x00000000017E0000-0x00000000017F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-18-0x00007FFA4A8A0000-0x00007FFA4B241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/400-20-0x00000000017E0000-0x00000000017F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-27-0x00000000017E0000-0x00000000017F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-21-0x00007FFA4A8A0000-0x00007FFA4B241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/400-28-0x00000000017E0000-0x00000000017F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-23-0x00000000017E0000-0x00000000017F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-24-0x00007FFA4A8A0000-0x00007FFA4B241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/400-26-0x00000000017E0000-0x00000000017F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-0-0x00007FFA4A8A0000-0x00007FFA4B241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4364-4-0x00007FFA4A8A0000-0x00007FFA4B241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4364-19-0x00007FFA4A8A0000-0x00007FFA4B241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4364-2-0x000000001BE20000-0x000000001C2EE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4364-1-0x00000000014B0000-0x00000000014C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-3-0x000000001C2F0000-0x000000001C38C000-memory.dmp

    Filesize

    624KB

    Download