Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

jigsaw.exe

windows7-x64

10

jigsaw.exe

windows10-2004-x64

10

Resubmissions

21/03/2025, 03:04

250321-dkqxkawn12 10

21/03/2025, 02:52

250321-dc8gmsstct 10

Analysis

  • max time kernel
    359s
  • max time network
    359s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/03/2025, 03:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jigsaw.exe

  • Size

    283KB

  • MD5

    2773e3dc59472296cb0024ba7715a64e

  • SHA1

    27d99fbca067f478bb91cdbcb92f13a828b00859

  • SHA256

    3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

  • SHA512

    6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

  • SSDEEP

    6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

Score
10/10
jigsawdiscoverypersistenceransomwarespywarestealer

Malware Config

Signatures

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw
  • Jigsaw family
    jigsaw
  • Renames multiple (2008) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
    "C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      PID:2360
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2436
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\License.txt
      1⤵
        PID:340
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\License.txt
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:1732
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\LockEnter.htm
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2632
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:556
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files\7-Zip\License.txt.fun
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\License.txt.fun
            2⤵
              PID:1604

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\License.txt.fun
            Filesize

            3KB

            MD5

            7d89b4741a8919b08dba9949d7410c05

            SHA1

            ad20472937965e41f82d46aef8f6ae6aba1f24d2

            SHA256

            8a9fa428bb1e55657257d17f9e61f8314e10b4e2b880eed5b8640eab3a04d793

            SHA512

            e3542c05aa317f4004204c75ed4850bee49463b00cd065d1345c302f6eda6dd516f676e9aae7428643c8d925447d3e4e505f6fcc2fb4fb70426752406e2d534b

            Download Submit

          • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun
            Filesize

            160B

            MD5

            580ee0344b7da2786da6a433a1e84893

            SHA1

            60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

            SHA256

            98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

            SHA512

            356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            71KB

            MD5

            83142242e97b8953c386f988aa694e4a

            SHA1

            833ed12fc15b356136dcdd27c61a50f59c5c7d50

            SHA256

            d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

            SHA512

            bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            8e19b540c343e39f199f5079bc9351fb

            SHA1

            c36cf512af9fad4fc137830e7cefb38438ab7cbb

            SHA256

            55d5480e34f20fe6ff539d4a2a1b9402dc2589e3c5127690a9f1a2ae6872a7c8

            SHA512

            78c46c676ae28003f0b3e6681e990c02b1523c3508ca853c42eeb1282910d0341211136f2c322d79e993d6d7b7a19ed6460e4f8adb23b163c9ee11f4e6e65e13

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            da99c83a53599fea8b2563ff4657ce16

            SHA1

            d92ea6cc96182fc4527b5ce5cf849633cde80fe5

            SHA256

            dcf803985ea9e809e3048e29efa6be4f6fe99b5bd7051c5891968988e22b5d2d

            SHA512

            bf47815bbaf0ba33d25974138c1b76d2f1edea067ff8c8528a6421a5fe4f7c22a505b3429363de86e740c23bc2008eff1f46c43cd16c12ffc34cb72328700d54

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            1ca576fef5c3797400a920c9fce922a2

            SHA1

            b470f31dd3a5881747f027df30a6c9fa7a79cc3e

            SHA256

            4a4549ec8c52da81decfe8c77db6e3941eb1c50a811653d83b0ea037fec1f06f

            SHA512

            a7dbcbebc4c758d9d2614a0d9d2645145bbfbe7aba6c83af7ae2a568afb155c9b3be91990e20daafa95e45fe4200199d88864b66f45b0a8108db380e9035fa87

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            93d6dcf153d9de1773d48ff4a17e7879

            SHA1

            32d58f031ca82fa78ba221150befc36dedc4a848

            SHA256

            6ac980771b78e0ae9539f4fe60865b1b27338e5639724eb3250591d9c5cbfcff

            SHA512

            7bd8c02665689afd5c499e55e0e46f7364762d8a44952d8f92625683895638982905fa2169ec5cd89b32f264cdfe68af8901a18766739aaa23236e481098f0cd

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            644f80a2d541717400c5f9e4d6eede90

            SHA1

            0018dc559d01882b925c3c43e186d9ccc21e4865

            SHA256

            ad9467b7bcd39f9de9332b72e4a654ee682224259add32ca388058004623dcc5

            SHA512

            f3cd916ec41f127b64a7d28482c44bd89d8d718de5e27b122a408ce2654ef9e68497770c95595e08363352df238642ce9c60f5a9a526b0037f53236f5074aad9

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            33ae1b271069eef2255f3a60881f7866

            SHA1

            69ef048d6fe833b1096e79ec68f203fa54ef83a9

            SHA256

            48eb541f43ac591e1ac9c883c3569926272e72358648694decb6399e81bbc30d

            SHA512

            e8637732bca3553a8bef9fe5b25cb6c8b39625570173f4d64fbae9cabbd830150e4575aa3bdf888733d93cf38d5570e76946e4e89f55eaf2e216709e04fd3ded

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            271d828db6a07a487c27858e06a33032

            SHA1

            f69dbf8449a9ca48083952ebbabf6438ccfcd20f

            SHA256

            9f10f2553864d92b8f79d76fd2078353ca3a894562338f8e652ac671f2dfd690

            SHA512

            9602937c4381125c94f7b4799c156c92600cafc72e1958757cb4e8eb2ebb30079f6bc4fd89780543452e267cdc5dbab7723efb7ccb08ea190cbcb6477496fcbb

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            fa6e977639f229790038ee1d89208e74

            SHA1

            a6872191d9a7af02ffa69d5448f93b71fc38c2b9

            SHA256

            aa40f28a311b0a312af71e5e38f4d5558a8a6eb5d031b562bba3344927050cc0

            SHA512

            a9de73e74a5607b1a4edf63d1371d1237ad9fd72ccee81c94413f2a8446e78e64f40f9981ea62062a69e2bffab4e5c8157d505254be975752379eab1cff99ecc

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            344B

            MD5

            af38a1cf42a9d189830351f5b1afcf2b

            SHA1

            344a1ee19cf0183099a770c831f46eba2b80f477

            SHA256

            515cb28640187f7c61ab94395da108031533132ecea08688b5264559538a00c0

            SHA512

            dc6ec58f527127da4c7b11cf15f726f46679834e63d87e8ee19a5adc061bdf30c0ca7ba16876ba1026c8b6dcdd9009cf47bca716b3d57d52c8bf165dd579875c

            Download Submit

          • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
            Filesize

            283KB

            MD5

            2773e3dc59472296cb0024ba7715a64e

            SHA1

            27d99fbca067f478bb91cdbcb92f13a828b00859

            SHA256

            3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

            SHA512

            6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9937AC73-0601-11F0-B525-D686196AC2C0}.dat
            Filesize

            3KB

            MD5

            829f8bcc6021fab9b83616baa5eda029

            SHA1

            49ed130bd4e3925345a563d775024c9df1c5a582

            SHA256

            36bc5b3a42193c172c0402851477eabaa9db03502d985b510c29ddb38c8fa5e5

            SHA512

            25b124e769b4d94c426317fcb6bae7e96db408b78121077cb9bb0b5dbc4ec1df429ff39cb1f89106eaeb1211bef137fee55f05cfac9281a663e80b34e7b489b2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{7BED8C50-69B4-11EF-84BD-62CB582C238C}.dat
            Filesize

            5KB

            MD5

            c294d103a1d14fca3b2c26ede07601bb

            SHA1

            7a3e9a16a8bb726e2d9f9b04cc08e785a5388858

            SHA256

            bf407fc950792dac1bc33ae83f5756715d130bd8707090bf235ba3e15717a59a

            SHA512

            2f2ab52328c8b116817a2012ebed6af705935838fde4184b33b50bf337d6525eec3802eb360b50863393cb08711e92ecb200203082dbee0db01de85cd92164f1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{9937AC74-0601-11F0-B525-D686196AC2C0}.dat
            Filesize

            4KB

            MD5

            d9f23122cdd795b6eb335e58c74486a1

            SHA1

            29cc742519037385f6ae1bd3f7411aaaa559e1a4

            SHA256

            a179abd499b4ea3086e1af18ca0314ba5027da7262e44afafdca6265c3827f73

            SHA512

            6f86af4e5f9393655f3df6fb2f34386a4190ee8858d9c125578e17bd6587fe933adb82c74c5acee637259bd51d8f3413e8429b651582f44a9951bdb28f380154

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Cab8355.tmp
            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar8409.tmp
            Filesize

            183KB

            MD5

            109cab5505f5e065b63d01361467a83b

            SHA1

            4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

            SHA256

            ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

            SHA512

            753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.fun
            Filesize

            16B

            MD5

            8ebcc5ca5ac09a09376801ecdd6f3792

            SHA1

            81187142b138e0245d5d0bc511f7c46c30df3e14

            SHA256

            619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

            SHA512

            cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

            Download Submit

          • memory/2360-11-0x000007FEF6360000-0x000007FEF6CFD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2360-12-0x000007FEF6360000-0x000007FEF6CFD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2360-13-0x000007FEF6360000-0x000007FEF6CFD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2420-0-0x000007FEF661E000-0x000007FEF661F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2420-5-0x000007FEF6360000-0x000007FEF6CFD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2420-10-0x000007FEF6360000-0x000007FEF6CFD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2420-9-0x000007FEF6360000-0x000007FEF6CFD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2420-1-0x0000000000510000-0x0000000000548000-memory.dmp

            Filesize

            224KB

            Download