Analysis
-
max time kernel
432s -
max time network
482s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 16:54
Static task
static1
Behavioral task
behavioral1
Sample
jigsaw.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
jigsaw.exe
Resource
win10v2004-20240419-en
General
-
Target
jigsaw.exe
-
Size
283KB
-
MD5
2773e3dc59472296cb0024ba7715a64e
-
SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859
-
SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
-
SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
SSDEEP
6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Renames multiple (2018) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2532 drpbx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 50 camo.githubusercontent.com 137 camo.githubusercontent.com 44 camo.githubusercontent.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\menu_arrow.gif.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml drpbx.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar drpbx.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar drpbx.exe File created C:\Program Files\7-Zip\Lang\mng2.txt.fun drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.fun drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2436 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2436 taskmgr.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2532 drpbx.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe 2436 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2532 2848 jigsaw.exe 28 PID 2848 wrote to memory of 2532 2848 jigsaw.exe 28 PID 2848 wrote to memory of 2532 2848 jigsaw.exe 28 PID 1624 wrote to memory of 2204 1624 chrome.exe 34 PID 1624 wrote to memory of 2204 1624 chrome.exe 34 PID 1624 wrote to memory of 2204 1624 chrome.exe 34 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 1144 1624 chrome.exe 36 PID 1624 wrote to memory of 600 1624 chrome.exe 37 PID 1624 wrote to memory of 600 1624 chrome.exe 37 PID 1624 wrote to memory of 600 1624 chrome.exe 37 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38 PID 1624 wrote to memory of 268 1624 chrome.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2532
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2436
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6cd9758,0x7fef6cd9768,0x7fef6cd97782⤵PID:2204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:22⤵PID:1144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:82⤵PID:600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:82⤵PID:268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:12⤵PID:2712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:12⤵PID:2912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:22⤵PID:1028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1180 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:12⤵PID:2036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:82⤵PID:2172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:82⤵PID:2152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:82⤵PID:2404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3596 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:12⤵PID:1896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2472 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:12⤵PID:1244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 --field-trial-handle=1392,i,7515425965456206145,15528940225229457145,131072 /prefetch:82⤵PID:2676
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5580ee0344b7da2786da6a433a1e84893
SHA160f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA25698b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad8dc1cca882697db5b8bdd6a88edb32
SHA1d8adbadfe98c1b282587379cf28b6c4602e9fbd7
SHA2568c4632f88364076e6c0b5e210f8d1632e53527dab32f89e83c6845548efdc579
SHA5126a81832ccf0aa7381ba71ef934242a3b809f56cd08444c450bff77c0418208ef07af6301eb41c5fe7518e9d5179984d188aa7642d36ab0ade65758173fd5145e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD563209047b22004072cb75ca5c9cab7c8
SHA1217fbf8ad1752460bc59929e855bb1887ce1c302
SHA256385068087dcb47d75dd7ae1cd5c952f2ea49465b8ae4cf3adaab8973efb170cb
SHA5122ba2ce1ce026706be08f8ed05ba9c908a4fb0fe2609b51087ac1067d3a268c53c435928fb03e8e4bfb909fcb7fce06555fcced8e1926ddae44693db178b56ba3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54815972fa900c3cdad9e0b3a1835e6e8
SHA125ce8b5c7445c5399f74d4c01d565543b190de6a
SHA256e621b8e39549a65edbe0c91651df4addb32438a99c3ed7408c221dfaea55f1a0
SHA512e3f62e3513f4f4fbd15415f17f5741dfb8752fd00d3cc80a6f00569cc6a9621e8dad294b99cceaf8070de9a24c982676381cdbb793d2680cac38949c0534ff13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c368cdcdccc89a4ccad435af16db1440
SHA1f47bf9f3baaf18882f2e8b666b0f9f7ee33db149
SHA2567031ce123ac0a1013a88e6ac071dcdccdb0324fd59f0da3af0cdd6ca8b679fef
SHA512a629132a6560898761b5422d07f84d8e807888a0744886d2bc35a61c297b7e3816e1a918773df4bdf2debb0a8a6cbb47b2413063feba46efcb1bec2aafa21b95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5caad8d20f6dc5867af983dc787a87a6f
SHA1403e85ac4359284497e6cabc977660bc38681de9
SHA256fd326282ae4d9e41145dcadd29e095eda2bead8a09cc2bf96a5d7bbe84a936c2
SHA512445095c83dbc1f60511704c6d7e477c2630b128c0cd13cd0572cf092580cc238c1b82a8b873a6cf3810391bae562484bda54629174001b08e4790a07650619bd
-
Filesize
283KB
MD52773e3dc59472296cb0024ba7715a64e
SHA127d99fbca067f478bb91cdbcb92f13a828b00859
SHA2563ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA5126ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
Filesize
266KB
MD563ae30ae00916db4642257fee4c50eab
SHA1de1108522fcf7e50856f1ac8bf210f5e76cef9c1
SHA2562c65e267e6b02aa35f8b8069f121d6d2e636e0497d3a4ef736c123b605cd0aa1
SHA5121974d2fafa138ef7143367efc2f542af0b4b600b1c269f8077bd27baf61974a6075efde85e2104e99e239664e71a614fa6798edfd69ef9e792e08c565d99b57d
-
Filesize
40B
MD55e5b45bb898b29f61ed73ee24bd90e1d
SHA11c34c544dbfd9686f699466d729d9beba77d69cb
SHA2566c6f3847e3dcd5aedffa020cbe54b777051ffd7a19005f07a1c7227294b7cebd
SHA5120cce93c8c613c8cf3cfc5345be90518f683559eadbc53440f8e01fa773ca059c8088ed3e0bc35d17537cbe9a4f6483b3af1f4c6fe2ea093f39c82d6b8b45c417
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
361B
MD560e2d795cee3e9a7d96e56d2afd59a6d
SHA1b0ed55f1cdefc6f4efc6537c8bcf0b4ae62bf2d2
SHA2563a8c563a3d721f20f9c7a1f72055c58d453c1e952ce8d500fe8479dcd0a2cc71
SHA51226144906b7be5698636c49297bbe90d0d51e9a6018f20ee6176f61abf2e415116e359d9dfb2aa67a5ca9a9d41dbdf74a3fe730963c9aeef00510eb80c9cb6d6b
-
Filesize
361B
MD5938f9314eb93244d0949c72bfdde9fa2
SHA18dbbf26ad08f655db9d7c4b2c45efb6fa9ef2dfc
SHA256488b3a5cb0257f8b2c865b30625ec069c301509705e6917a74c7a5c3a72e8ffd
SHA512cb31be113bf699cb8d50f853bb965c7378a841962c797636dc50cec6d0bfbf3309af91e9c981c16aaf2110f85620d61d234d78bd128bd7b7b4aa960e512775c7
-
Filesize
6KB
MD5442b11768ff221233c917266edfabbb9
SHA12d1ebded8f22588551e870523c0f6f4a5068a3f7
SHA2566f5945306eddb5a130ef35029e408ce1db1fa284afca0467b325c09492f33442
SHA512cb6dace7d5b29ff0ead7f8e2a31316f6e3238e3188ec57839081ce4ad3e7c4ab4d364e68360d8ef5136886f681486b13e222220ddf6ff650483ba1f4e2e80e70
-
Filesize
6KB
MD52ecafbeef709296d74399b1af094f417
SHA1b5876097fa49fb26f1a759f73908f2f4887c77b9
SHA2567aa63880f135e27b4fd3fb40d0b555a605839c2eb991f8ed4c590b54f94add41
SHA512142087fcf8f7f0fa9df9da4ea3d24043e0424d715b0a67996b0ab331acfc116f6ead7ae7c591bdadabbca42cf5e4088d422de7da240e56e3a06aa2d444109f07
-
Filesize
5KB
MD573970b8b453159a904205605fdac90b2
SHA115a5e6f66947f1024e08f480ef5377737e3b2a2d
SHA2562acf3fd08088a42d62705f2a6d1d335f995422d085df441864f578d57e66c1c7
SHA512f23c2fbdfc2fa516bc71896afcba1355c07baa4de73d1aee632dd6df5c04644399b536059015ab1cdbae74a384fbf2db046ec0d9caede21c890a9d74aaef4e0e
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
266KB
MD5987dec24eadf270213d7b059f44e0c99
SHA197c240ec6a89d5beeb3c2fe078882253efe216a9
SHA256b9bd4c632b038aa48565d03f6a838947a62e603a199fe0ce8ac06fbf3c08e6ef
SHA512765a6a492349baa95cf2fde6f394c3c19f7226f86d2d6dfda9e8de9d629e69c8c0bd3214f34f4491805e886862bc6300646649e49e0a461cdbc4b5e1719e7fb9
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
16B
MD58ebcc5ca5ac09a09376801ecdd6f3792
SHA181187142b138e0245d5d0bc511f7c46c30df3e14
SHA256619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650