Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

jigsaw.exe

windows7-x64

Analysis

  • max time kernel
    281s
  • max time network
    286s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2025, 17:25

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    jigsaw.exe

  • Size

    283KB

  • MD5

    2773e3dc59472296cb0024ba7715a64e

  • SHA1

    27d99fbca067f478bb91cdbcb92f13a828b00859

  • SHA256

    3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

  • SHA512

    6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

  • SSDEEP

    6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

Score
10/10
jigsawdiscoverypersistenceransomwarespywarestealer

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw
  • Jigsaw family
    jigsaw
  • Renames multiple (1973) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
    "C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      PID:3012
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x514
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1772
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\InitializeBlock.xht
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2876
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\DisconnectSuspend.emf"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2064
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SwitchSelect.vbs"
    1⤵
      PID:1528
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1248
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1036
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2976
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1204

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun
          Filesize

          160B

          MD5

          580ee0344b7da2786da6a433a1e84893

          SHA1

          60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

          SHA256

          98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

          SHA512

          356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          71KB

          MD5

          83142242e97b8953c386f988aa694e4a

          SHA1

          833ed12fc15b356136dcdd27c61a50f59c5c7d50

          SHA256

          d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

          SHA512

          bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c7781a2b60b40f8bbb87dcf8f383749b

          SHA1

          ba9cf960a803eee72d57d67fb6f0adce97079d94

          SHA256

          ea7e71de753a1366d8bf0f8170b9d283e3c5f54a7695a5dc82721670da48d8b6

          SHA512

          3c9939eb15c2a6d249c99f03d9ad579a3d775315aaa01e4c7ab2c4dd03f67033003cfdc6910afeb6896c46cd4bd3b05be1adef3482c6a64c965ba984bf3170ba

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          5f6288f8f8eb371cce35e9cf471eb16b

          SHA1

          6831bcb5dcf6035d5df8728ad63022f2701b239d

          SHA256

          097a3686bd06330cddf95bd4b17661d6197c88ba88bac73059c522a531928b1a

          SHA512

          daf3a755ba6b5e37743dd8aa3d61c85481440487f2b9b5f9794dfb50a956d14c4ff84623dd2f6baf2060a8f708105eb02a5c9be5c6cc2433e0ee9bed47b04d75

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          e426349c9caf330b6621d89e1271e3f4

          SHA1

          b0bcc5e993e13b5bccd01b61e9f3eeb91503bc1c

          SHA256

          26f3c8c300ef1542d2fe93a89c17ef7283c34cdc58c638e7592f1285e3f461f2

          SHA512

          b9138482885a40ab305d83a25d4e8c2f373e9100b4d76773e057c5c35f738c248f6db71a3c5b4260409ecc93724fed128c408a9b3b88c1de4638b24e2723d190

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          b7a2ed01a09bc69bd7f99eea3b38fc1f

          SHA1

          2b24706489d16b7cba567a67c0b44143648e2051

          SHA256

          b423e6ee2a49e9cfcc7311734b54427622ec54746913eb2c3197ba1f103f2d79

          SHA512

          a8317f61d9204bf5343c23f5cc98c48017517d763ca824f71ad80b86eac7eb00aedd51e6b0fb652707d9d476f93391095b49112bbdc0cb4e308400095dd6f224

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6055185248290db727cedd2910bf1c09

          SHA1

          dd21fd471399f650a95818d94c4600fb2ace7d22

          SHA256

          21c3acd82feaad22208da42aa71edee767c4d9407d054b8f2e8e212394a46098

          SHA512

          fdb478a0a8df3f62f1f8b6d88672f387762ff730c9c3cfc30b45c67b0eb9c9cd94e9dc2c3b99cafada95b8201ea24498d4671d6e1d104ac3d250ccb6719a40e2

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          069901438ef5acd83096b9e649b3cbf6

          SHA1

          158e442061b338ee55a15572e0b4c44c87f29fbc

          SHA256

          8e66678c3f90436296b95cd5084d5cf81299a6c5721915c904a96d1672b58122

          SHA512

          9518154c1190936827610d963ba050926041b86ffa14ad59f3a852eb54c984ac3cde56da1ad41bee30fbc2a2b71b32f079809d3423c5db24a88b3b9df4fddaca

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          665e3883dae5f7bbff164ee213c6d1ba

          SHA1

          2325afe02417d25efaed47ed73afface3826d63d

          SHA256

          05a838559c2a67666f7194e027cae7cc2a2673f82b20f0a9036105d75b07f32e

          SHA512

          badb92dc9370785378e7b2e161d32ee1a7d01ea0759dcca38611e638f913d25c69ca1d88e7dbb75eefd05ede023d5af257d7a3a031e6ce6541aa80077dcdef2e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          349e73c43ba5f26aa1b7d059bf3b537b

          SHA1

          de9b585a211ba560e798157bffaaaa8a6198b074

          SHA256

          42d063d79cc2572fc42c5d830aeddce200b3203c0a63250dc0e187d54cd6bdb4

          SHA512

          792d23fbc82e24b1255f658feb7369c8dc366326bdeb866d368320dc0c30b1685f206bbe9ded970486cff9eefda0fbfaf89747f4f3437f400123f0b46c492676

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          3527bf1c085d55aaa095f70a2364d2d7

          SHA1

          f3fbc1d27b579d640bc238d65dc0d0411f5dd9b5

          SHA256

          fb0d2f4da753f32e62a8161249c6496c9aa6db4c7726863b233cd7b424810d23

          SHA512

          4a91629b91b76e3466f8f813daf2dc3da6c4114ff232bd6f711462dab39d9cce3db9016b88b54d2a0cc2993be7e0ba2382783b6d3ed51c1f0374c49142fe0866

          Download Submit

        • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
          Filesize

          283KB

          MD5

          2773e3dc59472296cb0024ba7715a64e

          SHA1

          27d99fbca067f478bb91cdbcb92f13a828b00859

          SHA256

          3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

          SHA512

          6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{EE737ED0-86E5-11EF-B2CD-DAB21757C799}.dat
          Filesize

          5KB

          MD5

          2e622c1f114be9451445397c6c6e854d

          SHA1

          a949835f96afff0dca951f1c22d49a7a82bad548

          SHA256

          754d8d865693693323fd09e9d921566e03d844cd8acfe2dcb394da7125354146

          SHA512

          ebfc22238bf5290e2232f2b95dbae3d432b169f05532ed1984e445cd6289b33a435959275ce0e2c9b925215dd0a2a1179bee087a1989cfdb0a25a1834d2e5834

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{A8C4EAB4-01C2-11F0-9D46-D6B302822781}.dat
          Filesize

          4KB

          MD5

          6e1e5897294f0726e71cc0e7ef0edbf8

          SHA1

          abcd75ad84077bb4f5c56672c3f4f0bb860c36ab

          SHA256

          6c01ad3b89a91f32aa4bcbbedec3f05dd379fc2f653f40fc53b23dd5033bda44

          SHA512

          19c7381729b9e05c2126c5140d0ac9bd8419e6afae5e3199830ae347d72d2c67ad7c0c17aaf44a4384fc9436bd5b0190744c09c9d64bd970f64aa537db53183b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab65D8.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar65DB.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar67E3.tmp
          Filesize

          183KB

          MD5

          109cab5505f5e065b63d01361467a83b

          SHA1

          4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

          SHA256

          ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

          SHA512

          753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.fun
          Filesize

          16B

          MD5

          8ebcc5ca5ac09a09376801ecdd6f3792

          SHA1

          81187142b138e0245d5d0bc511f7c46c30df3e14

          SHA256

          619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

          SHA512

          cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

          Download Submit

        • memory/1036-2500-0x000000001D250000-0x000000001D596000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1036-2499-0x0000000002300000-0x000000000231E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1248-2498-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1248-2497-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1248-2495-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1248-2494-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2064-943-0x000007FEF2560000-0x000007FEF25AC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2064-944-0x000007FEF2560000-0x000007FEF25AC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2396-12-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2396-0-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2396-1-0x0000000000A20000-0x0000000000A58000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2396-2-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2396-3-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3012-2493-0x000000001B1F0000-0x000000001B262000-memory.dmp

          Filesize

          456KB

          Download

        • memory/3012-2496-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3012-10-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3012-11-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3012-13-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3012-14-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

          Filesize

          9.6MB

          Download