jigsaw | 45d9183b36802bfb861d0b7383c60b5cb0298760d013c97aa8838bca8002b1d7

Analysis

max time kernel
146s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240319-en
resource tags

arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
submitted
22-03-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JigsawRansomware.exe
Size

1.1MB
MD5

6b7f99749cae07e2ad083b6591837c9d
SHA1

d90e2aaf9bdc0b4185b1f68f6a53df5f2380eeee
SHA256

45d9183b36802bfb861d0b7383c60b5cb0298760d013c97aa8838bca8002b1d7
SHA512

6b3bfd17a6413671f9cbadfb1bb9dc999fc90af6b791670baf6c7f68feb417aed27bb358a70e1cd4b730bdd11a6e1e6a70ad87c3f92a8cd7bd89b66e7854da8d
SSDEEP

24576:jmTQcPTAcySiDNpfVkqgfPyU8/oa8reuaDQkqjVnlqud+/2P+A:e70nS4pfVkqgy6r3askqXfd+/9A

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (1488) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1660	drpbx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	JigsawRansomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-60_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraMedTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-lightunplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-96.png	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-40_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorAppList.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\GetHelpLargeTile.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare150x150Logo.scale-180.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-lightunplated.png	drpbx.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60_altform-lightunplated_contrast-black.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-128.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadWideTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Logo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubSmallTile.scale-125.png	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsSmallTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-20_altform-lightunplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-48.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-80.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\NotepadStoreLogo.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\contrast-white\MicrosoftSolitaireLargeTile.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare70x70Logo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\Settings-Black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailFirstRunLogo.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-96.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-100_contrast-white.png	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	taskmgr.exe
Token: SeSystemProfilePrivilege	2488	taskmgr.exe
Token: SeCreateGlobalPrivilege	2488	taskmgr.exe
Token: 33	2488	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2488	taskmgr.exe
Token: SeDebugPrivilege	3248	taskmgr.exe
Token: SeSystemProfilePrivilege	3248	taskmgr.exe
Token: SeCreateGlobalPrivilege	3248	taskmgr.exe
Token: 33	3248	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3248	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe
3248	taskmgr.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1660	364	JigsawRansomware.exe	81
PID 364 wrote to memory of 1660	364	JigsawRansomware.exe	81

C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1660

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

Filesize
32KB

MD5
aec7bd7c96948d97d13c7df53988e89c

SHA1
7b906b88009e7509324ae92dc8a32ae4fb38626c

SHA256
15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0

SHA512
27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
000e8c41d4a15fb34d0be0dbb56e3778

SHA1
00c4eae64ee6239d7c65d819c6ce1ac329224f8c

SHA256
8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

SHA512
775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
9e466b4837d8431be725d6b9c1b4d9ef

SHA1
3f247b7c89985a41d839cad351cd0fc182fcb284

SHA256
2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d

SHA512
01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
16846df493521e84fe47cd6b6451ec8f

SHA1
6d99eb017c5aec08d3a7e908bbd4a051ce250c02

SHA256
69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9

SHA512
aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
1.1MB

MD5
6b7f99749cae07e2ad083b6591837c9d

SHA1
d90e2aaf9bdc0b4185b1f68f6a53df5f2380eeee

SHA256
45d9183b36802bfb861d0b7383c60b5cb0298760d013c97aa8838bca8002b1d7

SHA512
6b3bfd17a6413671f9cbadfb1bb9dc999fc90af6b791670baf6c7f68feb417aed27bb358a70e1cd4b730bdd11a6e1e6a70ad87c3f92a8cd7bd89b66e7854da8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

Filesize
8KB

MD5
420960c4b17842a24bbf117222c60e47

SHA1
4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d

SHA256
e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174

SHA512
b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1710883547.txt.fun

Filesize
16B

MD5
cfdae8214d34112dbee6587664059558

SHA1
f649f45d08c46572a9a50476478ddaef7e964353

SHA256
33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

SHA512
c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

Download Submit
memory/364-1-0x00007FFD0C110000-0x00007FFD0CBD2000-memory.dmp

Filesize
10.8MB

Download
memory/364-0-0x00000223EAF30000-0x00000223EB04E000-memory.dmp

Filesize
1.1MB

Download
memory/364-16-0x00007FFD0C110000-0x00007FFD0CBD2000-memory.dmp

Filesize
10.8MB

Download
memory/1660-15-0x00007FFD0C110000-0x00007FFD0CBD2000-memory.dmp

Filesize
10.8MB

Download
memory/1660-252-0x000001E438E00000-0x000001E438E10000-memory.dmp

Filesize
64KB

Download
memory/1660-251-0x00007FFD0C110000-0x00007FFD0CBD2000-memory.dmp

Filesize
10.8MB

Download
memory/1660-17-0x000001E438E00000-0x000001E438E10000-memory.dmp

Filesize
64KB

Download
memory/2488-820-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-814-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-823-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-824-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-821-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-819-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-818-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-812-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-813-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/2488-822-0x0000025713140000-0x0000025713141000-memory.dmp

Filesize
4KB

Download
memory/3248-1525-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download
memory/3248-1523-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download
memory/3248-1524-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download
memory/3248-1530-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download
memory/3248-1531-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download
memory/3248-1532-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download
memory/3248-1533-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download
memory/3248-1534-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download
memory/3248-1535-0x000001A303420000-0x000001A303421000-memory.dmp

Filesize
4KB

Download