jigsaw | fbf8be8a3fa09d761b4293648317e48426a72f9ffc8782b1643d4cdae16ccf55

Analysis

max time kernel
19s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Jigsaw.exe
Size

335KB
MD5

44a4d5c0cbd33c189f18018326e8801e
SHA1

533d0a6895ffb5846b6e7bcb738c4056293f91d7
SHA256

f32a14e2a7a2510862c04fdc2e9ae97bb4f444d33dc5394360ad3402548bf687
SHA512

9aa19261579caadeb028f75db52a05e3ef66880df44d21e73cf65ac472ed3b276deaef37227c20af50d821414f2a1df88fb78c985adc0739bab7d0ed3a866205
SSDEEP

3072:NfWmKpcIhNLHiS6ur76srcmGG10loGm44q2UWBWXyPNKTWI87aXKPmsqjCnSNBPK:gR7Osoc1DGm44HcX2oaIrBP33kQCfBp

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Jigsaw.exe

Executes dropped EXE 24 IoCs

pid	Process
2140	deltasec.exe
3260	deltasec.exe
5568	deltasec.exe
5336	deltasec.exe
4616	deltasec.exe
3584	deltasec.exe
1732	deltasec.exe
4860	deltasec.exe
4960	deltasec.exe
432	deltasec.exe
4084	deltasec.exe
4556	deltasec.exe
5300	deltasec.exe
5236	deltasec.exe
4032	deltasec.exe
4476	deltasec.exe
3208	deltasec.exe
2956	deltasec.exe
3576	deltasec.exe
2304	deltasec.exe
5980	deltasec.exe
4888	deltasec.exe
3244	deltasec.exe
1140	deltasec.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	Jigsaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 5708 wrote to memory of 2140	5708	cmd.exe	87
PID 5708 wrote to memory of 2140	5708	cmd.exe	87
PID 2500 wrote to memory of 3260	2500	Jigsaw.exe	88
PID 2500 wrote to memory of 3260	2500	Jigsaw.exe	88
PID 5956 wrote to memory of 5568	5956	cmd.exe	91
PID 5956 wrote to memory of 5568	5956	cmd.exe	91
PID 1856 wrote to memory of 5336	1856	cmd.exe	94
PID 1856 wrote to memory of 5336	1856	cmd.exe	94
PID 4568 wrote to memory of 4616	4568	cmd.exe	97
PID 4568 wrote to memory of 4616	4568	cmd.exe	97
PID 4684 wrote to memory of 3584	4684	cmd.exe	101
PID 4684 wrote to memory of 3584	4684	cmd.exe	101
PID 6072 wrote to memory of 1732	6072	cmd.exe	104
PID 6072 wrote to memory of 1732	6072	cmd.exe	104
PID 836 wrote to memory of 4860	836	cmd.exe	107
PID 836 wrote to memory of 4860	836	cmd.exe	107
PID 4924 wrote to memory of 4960	4924	cmd.exe	110
PID 4924 wrote to memory of 4960	4924	cmd.exe	110
PID 5396 wrote to memory of 432	5396	cmd.exe	113
PID 5396 wrote to memory of 432	5396	cmd.exe	113
PID 4656 wrote to memory of 4084	4656	cmd.exe	118
PID 4656 wrote to memory of 4084	4656	cmd.exe	118
PID 3504 wrote to memory of 4556	3504	cmd.exe	121
PID 3504 wrote to memory of 4556	3504	cmd.exe	121
PID 1364 wrote to memory of 5300	1364	cmd.exe	124
PID 1364 wrote to memory of 5300	1364	cmd.exe	124
PID 5316 wrote to memory of 5236	5316	cmd.exe	127
PID 5316 wrote to memory of 5236	5316	cmd.exe	127
PID 2108 wrote to memory of 4032	2108	cmd.exe	132
PID 2108 wrote to memory of 4032	2108	cmd.exe	132
PID 2792 wrote to memory of 4476	2792	cmd.exe	135
PID 2792 wrote to memory of 4476	2792	cmd.exe	135
PID 388 wrote to memory of 3208	388	cmd.exe	138
PID 388 wrote to memory of 3208	388	cmd.exe	138
PID 2904 wrote to memory of 2956	2904	cmd.exe	141
PID 2904 wrote to memory of 2956	2904	cmd.exe	141
PID 1264 wrote to memory of 3576	1264	cmd.exe	144
PID 1264 wrote to memory of 3576	1264	cmd.exe	144
PID 2244 wrote to memory of 2304	2244	cmd.exe	147
PID 2244 wrote to memory of 2304	2244	cmd.exe	147
PID 5412 wrote to memory of 5980	5412	cmd.exe	150
PID 5412 wrote to memory of 5980	5412	cmd.exe	150
PID 5332 wrote to memory of 4888	5332	cmd.exe	154
PID 5332 wrote to memory of 4888	5332	cmd.exe	154
PID 1756 wrote to memory of 3244	1756	cmd.exe	158
PID 1756 wrote to memory of 3244	1756	cmd.exe	158
PID 768 wrote to memory of 1140	768	cmd.exe	163
PID 768 wrote to memory of 1140	768	cmd.exe	163

C:\Users\Admin\AppData\Local\Temp\Jigsaw.exe
"C:\Users\Admin\AppData\Local\Temp\Jigsaw.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\deltasec\deltasec.exe
  "C:\Users\Admin\AppData\Local\deltasec\deltasec.exe" C:\Users\Admin\AppData\Local\Temp\Jigsaw.exe
  2⤵
  - Executes dropped EXE
  PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5708
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5956
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6072
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5396
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5316
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5412
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5332
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:2936
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:5036
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:3848
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6176
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6352
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6476
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6568
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6708
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6968
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:7124
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:944
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:2040
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:3412
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:520
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:1040
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:5148
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:3100
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:1048
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1004
    3⤵
    PID:7668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6424
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:3472
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:2516
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6244
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6504
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6576
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6416
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:7184
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:7852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\deltasec\deltasec.exe

Filesize
335KB

MD5
44a4d5c0cbd33c189f18018326e8801e

SHA1
533d0a6895ffb5846b6e7bcb738c4056293f91d7

SHA256
f32a14e2a7a2510862c04fdc2e9ae97bb4f444d33dc5394360ad3402548bf687

SHA512
9aa19261579caadeb028f75db52a05e3ef66880df44d21e73cf65ac472ed3b276deaef37227c20af50d821414f2a1df88fb78c985adc0739bab7d0ed3a866205

Download Submit
memory/2140-25-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/2140-22-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/2140-84-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/2140-47-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/2140-24-0x00000000011B0000-0x00000000011B8000-memory.dmp

Filesize
32KB

Download
memory/2140-17-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/2500-23-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/2500-2-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/2500-0-0x00007FF9249C5000-0x00007FF9249C6000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/2500-4-0x000000001B9B0000-0x000000001BA4C000-memory.dmp

Filesize
624KB

Download
memory/2500-3-0x000000001B440000-0x000000001B90E000-memory.dmp

Filesize
4.8MB

Download
memory/3260-26-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download
memory/3260-49-0x00007FF924710000-0x00007FF9250B1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads