Overview

overview

10

Static

static

3

80f45f70d6...93.exe

windows7-x64

10

80f45f70d6...93.exe

windows10-2004-x64

10

Resubmissions

26/02/2025, 07:01 UTC

250226-htjbasxjv8 10

25/02/2025, 04:05 UTC

250225-enxd7atjy7 3

25/02/2025, 04:00 UTC

250225-ekttwssqy6 10

25/02/2025, 03:40 UTC

250225-d79cessjs5 10

25/02/2025, 03:10 UTC

250225-dpfmdszpw9 10

25/02/2025, 02:49 UTC

250225-dazrqaym19 10

25/02/2025, 02:42 UTC

250225-c61hfsyj15 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe

  • Size

    767KB

  • Sample

    250225-d79cessjs5

  • MD5

    d7b952b18e2fba388e8ae076488af9e2

  • SHA1

    20a1a5c98e93b87d58d8c6ddbe2450f657e59113

  • SHA256

    80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593

  • SHA512

    5777c6ff439a89d1571b3104b3fc9b43e5392cecdcd2c8100019582bfb383328648ef86735dbda8e15270f0853bff3ea9864f26a7f9c40d016269e417aa2f04f

  • SSDEEP

    12288:7GqN/XdctpVtkMtsyDqBQ0tA3nyF0Fh0zJmViYV5yvQX05oWI:lNcBtkUqBQ0tknx5yIXgoWI

Score
10/10
jigsawbootkitdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe

    • Size

      767KB

    • MD5

      d7b952b18e2fba388e8ae076488af9e2

    • SHA1

      20a1a5c98e93b87d58d8c6ddbe2450f657e59113

    • SHA256

      80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593

    • SHA512

      5777c6ff439a89d1571b3104b3fc9b43e5392cecdcd2c8100019582bfb383328648ef86735dbda8e15270f0853bff3ea9864f26a7f9c40d016269e417aa2f04f

    • SSDEEP

      12288:7GqN/XdctpVtkMtsyDqBQ0tA3nyF0Fh0zJmViYV5yvQX05oWI:lNcBtkUqBQ0tknx5yIXgoWI

    Score
    10/10
    jigsawbootkitdefense_evasiondiscoverypersistenceransomwarespywarestealer

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

      ransomwarejigsaw

    • Jigsaw family

      jigsaw

    • Renames multiple (2012) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.