Overview

overview

10

Static

static

3

e1c7d34fc0...51.exe

windows7-x64

10

e1c7d34fc0...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 05:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51.exe

  • Size

    606KB

  • MD5

    4e890ba5a4f6fd63727c0005daa654dd

  • SHA1

    e9ade30c93942c3f5928522552dd01eb25a9e9db

  • SHA256

    e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51

  • SHA512

    177badec70b21ed1b94a8a235535249c94b72e21fc62bae1e8c32e44b9495006687a2ef7545256ddaa2c167d870515de45e9aea524e3081135fa901532af6477

  • SSDEEP

    12288:x4XLj1zY8ejQ8BLXYTiMXrX0IHPfuTjaDt01zWY+EOinLAAf:GXFzYVMLz0sDD2+y8A

Score
10/10
jigsawpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw
  • Renames multiple (1994) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51.exe
    "C:\Users\Admin\AppData\Local\Temp\e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.math
    Filesize

    160B

    MD5

    000e8c41d4a15fb34d0be0dbb56e3778

    SHA1

    00c4eae64ee6239d7c65d819c6ce1ac329224f8c

    SHA256

    8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

    SHA512

    775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

    Download Submit

  • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
    Filesize

    606KB

    MD5

    4e890ba5a4f6fd63727c0005daa654dd

    SHA1

    e9ade30c93942c3f5928522552dd01eb25a9e9db

    SHA256

    e1c7d34fc0138d018f9e947af3dac7ec4d0fe9751dd1bc4424b185a92ca4bc51

    SHA512

    177badec70b21ed1b94a8a235535249c94b72e21fc62bae1e8c32e44b9495006687a2ef7545256ddaa2c167d870515de45e9aea524e3081135fa901532af6477

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.math
    Filesize

    16B

    MD5

    cfdae8214d34112dbee6587664059558

    SHA1

    f649f45d08c46572a9a50476478ddaef7e964353

    SHA256

    33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

    SHA512

    c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

    Download Submit

  • memory/2896-7-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2896-6-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3012-9-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3012-10-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3012-231-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3012-230-0x0000000002120000-0x00000000021A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3012-369-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3012-8-0x0000000002120000-0x00000000021A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3012-2015-0x0000000002120000-0x00000000021A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3012-2018-0x0000000002120000-0x00000000021A0000-memory.dmp

    Filesize

    512KB

    Download