Overview

overview

10

Static

static

7

0da334a11c...60.exe

windows7-x64

8

1.0.exe

windows7-x64

5

1AB13RN57.exe

windows7-x64

8

2009007981...bs.exe

windows7-x64

7

302746537.exe

windows7-x64

7

319874ec78...c1.exe

windows7-x64

7

6eec624668...e4.exe

windows7-x64

7

74c002aafd...a2.exe

windows7-x64

1

7934625ee2...11.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dsf.rar

  • Size

    7.4MB

  • Sample

    240717-ptyjjs1crl

  • MD5

    daf1c51935b08cf375e26805395f1417

  • SHA1

    84917f8476cd6da665efae2ec826e9ee3e2274eb

  • SHA256

    13275c057816e8a845780f7efc56f71d9eb0d82872fe4f2999a875eed4a24dc1

  • SHA512

    0d4240fca2e5b4642a262c2778e63243b1a67cb24b2c4a0d415853f0041aa2dafc775bf54d08e8a7294a862e1f590f7aff58bfa1f6170a78a10869fd7a766b7e

  • SSDEEP

    196608:Ry7Ks9yetoY2D189qW5Cy6d64fYT6MSHerXS:QtV2O9dz6jfYT2HerXS

Score
10/10
jigsawdiscoveryexecutionpersistenceransomwarespywarestealerupx

Malware Config

Targets

    • Target

      0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe

    • Size

      1.8MB

    • MD5

      9d6952511e6a30db9be4d220f5394ee6

    • SHA1

      1d3ae6db2237ff37a800f8ddc0330c6ec9d452e7

    • SHA256

      0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360

    • SHA512

      99fee4d6fc9a3ae839ce24a2761e30f4836cca1fab8b9ddb6b7caaeabd247ba97b96760a312089e1046b5ed8c9712acc148b67fe5799bcdecc7399fe40db83da

    • SSDEEP

      49152:FHMSCqHxPO8Xm7DujgFatRnwMgnCBT9H4yXD3x1gYoddux:FHMSC0xPO8Xm7DujonMgkB4yXt1gZSx

    Score
    8/10
    discoverypersistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      1.0.exe

    • Size

      69KB

    • MD5

      248f91bcf92c8bf3e00beb7810de6528

    • SHA1

      b67f22eb906669bfc91ab51bb5c7b2b507f12386

    • SHA256

      88054efd9231124cb9ca5895608db0004b6a4e734a87bc27b5fb1deb92900306

    • SHA512

      5f8ec3dce00d7263f53e1dbaa0ddbcc317f5176952b8561c0e2411c8f3cd9faaebce0780d1410b37dd1df7c4f46c6101c2d7a730834d767c2a9c629d10493a6a

    • SSDEEP

      1536:Kvc+XI2Sv/BEEqE+kEnXx0JaFadHUxIcHduph7oGXPX0GO2:Kvc+XDiBViZYdH4IcHoptoo/0Gp

    Score
    5/10
    ransomware
    behavioral2

    • Target

      1AB13RN57.exe

    • Size

      3.7MB

    • MD5

      8537ab969199b629d5b988e5d9ef23c5

    • SHA1

      1e75f01a1f8bf870db9bf7e47154e9c1022cecf2

    • SHA256

      605e7377b5c4823bb226ee7927ec278dcbfdf6b67877bad19596f52a5d7a68a4

    • SHA512

      59d1f9181219f3afb22e7c4f8c688cdfd10d53624dd23e492d30a5e22bce29a89274674d0cb4d200628c577e6316aee7bce2ceecfc4ae2aa73485b27d6dce4d8

    • SSDEEP

      98304:4gyq8AcevX1LkIJDguXwIOwmJdwNe+zRXuKJkFA013fV6PYC:Fyq8A9vZ/5g8wI+J/yRvkFZ0X

    Score
    8/10
    discoveryexecutionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3

    • Target

      2009007981Ayon397.4lbs.exe

    • Size

      571KB

    • MD5

      ba26fb77b6835108c50a7679a8d700cb

    • SHA1

      f7e765dfe86361f13b0bce8497a6ca313e51c96b

    • SHA256

      1475fc004e86e28f28d91df9cc206c0da886bc085da17f853adba49990d8ca41

    • SHA512

      c6befb6fa1359411eb02cf2b3087def66c05590f4bec180d9a832926925deface5d454e81f6d88f1e34283a876853e1cf97070577f7651dd4fcbb273ddc3cf93

    • SSDEEP

      12288:9ufIQziUgIg4oCHT5B7PotSOx164gNIHNbZs8Lp97rWsVFqG5aDIBIDh:uGUdg4bHVBbotSOjaIHhZJLp97rWsV1k

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral4

    • Target

      302746537.exe

    • Size

      22KB

    • MD5

      8703ff2e53c6fd3bc91294ef9204baca

    • SHA1

      3dbb8f7f5dfe6b235486ab867a2844b1c2143733

    • SHA256

      3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

    • SHA512

      d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

    • SSDEEP

      384:fIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZht0MZaNJawcM:fRGuY2P0Vo6r7SiAwyrMRjbSMcnbcuy8

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5

    • Target

      319874ec782153cdccd2a9f0c5be6ffdb782c9093329851a5ec13530f93b63c1.exe

    • Size

      842KB

    • MD5

      713d2566715e590052dc995b533bda5b

    • SHA1

      80dd387a6bdf48367c3d6a3ee58db791796c44e8

    • SHA256

      319874ec782153cdccd2a9f0c5be6ffdb782c9093329851a5ec13530f93b63c1

    • SHA512

      1ee204072ff90e2cec5163413e6dd8388d1967f6da59a485fa2d6e5c068b7cb01c1f4842142a27637bb0760484de412b7e07bbbbacfe1fad18be60277bff5ac2

    • SSDEEP

      24576:7o/dpLFqAi4x1evJR73xltFlxGBZYBQ7I:sVB8s1S3VltFlcZ38

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      6eec62466831538bfbf213160269a81ea588fd6ca6cc9a58a92f0c67b124aae4.exe

    • Size

      239KB

    • MD5

      4e96f607068d07bc23e9717da566b7c6

    • SHA1

      45358cecf3e14f07daa866052f5dabd34b2aac01

    • SHA256

      6eec62466831538bfbf213160269a81ea588fd6ca6cc9a58a92f0c67b124aae4

    • SHA512

      c282ba8eb4e4ad5429aa03f063152fac040881accfdf26972d4452b4c63e0762f4f7260f44e032d7f298c069c151ca50f8a71c272152a6c9350ff3f9fbb6c666

    • SSDEEP

      6144:gsV7FygHRNn+QrOtghhtvo6XtyuMv9MloC:Z0+N+QCULZtyPv9MloC

    Score
    7/10
    spywarestealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral7

    • Target

      74c002aafd3cdae462c03952adfc266d660fee5aef35a20f222b10de94740da2.exe

    • Size

      760KB

    • MD5

      27b98da1d83acafcb2dafd577861fa8c

    • SHA1

      e3c30a7c8a9e131c8b94148386e56bf9dbfe9205

    • SHA256

      74c002aafd3cdae462c03952adfc266d660fee5aef35a20f222b10de94740da2

    • SHA512

      1a1398d92a7735df5b5a380c46576f5ba5ad9a1c5133666b4331e661a21668215ff4c88a74037fb014d17bb1cbd70204854e837e47578c6a0f358c7be3e9db0a

    • SSDEEP

      6144:uJ8ObZe6WE3OHqw4bxFbq0t+LKeCLE3DHqw4bxFbq0t+:ceKrw4bxFNe/uw4bxF

    Score
    1/10
    behavioral8

    • Target

      7934625ee2b46883d287d31cb3d1d0b2eb3a0ac2a59a22d434b16513af3d1b11.exe

    • Size

      684KB

    • MD5

      52cdf9dc4986a5df3e8b0df4c4d77da6

    • SHA1

      81309c26783f809f9c98edae4a0730aab1bf5ad6

    • SHA256

      7934625ee2b46883d287d31cb3d1d0b2eb3a0ac2a59a22d434b16513af3d1b11

    • SHA512

      44df0ce2bed5238a1c51419b70f8d45c0ebc7ad7938012e9ff71512f51ae9df501dd67863716b8a8362df1079c472ef86a50cd8bbab648d4613bd663f6ce53b3

    • SSDEEP

      12288:Ixd0h1smbbWC+G/d8ke2Ov71Qoh1PCtCSqBHPuDxcSMa+58tbRC:IxRmbyC+Od8cOvWsZVW

    Score
    10/10
    jigsawpersistenceransomwarespywarestealer

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

      ransomwarejigsaw

    • Renames multiple (2029) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks