jigsaw | fbf8be8a3fa09d761b4293648317e48426a72f9ffc8782b1643d4cdae16ccf55

Analysis

max time kernel
16s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Jigsaw.exe
Size

335KB
MD5

44a4d5c0cbd33c189f18018326e8801e
SHA1

533d0a6895ffb5846b6e7bcb738c4056293f91d7
SHA256

f32a14e2a7a2510862c04fdc2e9ae97bb4f444d33dc5394360ad3402548bf687
SHA512

9aa19261579caadeb028f75db52a05e3ef66880df44d21e73cf65ac472ed3b276deaef37227c20af50d821414f2a1df88fb78c985adc0739bab7d0ed3a866205
SSDEEP

3072:NfWmKpcIhNLHiS6ur76srcmGG10loGm44q2UWBWXyPNKTWI87aXKPmsqjCnSNBPK:gR7Osoc1DGm44HcX2oaIrBP33kQCfBp

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	Jigsaw.exe

Executes dropped EXE 25 IoCs

pid	Process
2772	deltasec.exe
632	deltasec.exe
4460	deltasec.exe
2492	deltasec.exe
1628	deltasec.exe
2220	deltasec.exe
4692	deltasec.exe
2560	deltasec.exe
5832	deltasec.exe
2736	deltasec.exe
4928	deltasec.exe
5160	deltasec.exe
3996	deltasec.exe
3984	deltasec.exe
1192	deltasec.exe
4740	deltasec.exe
2948	deltasec.exe
2972	deltasec.exe
5292	deltasec.exe
5768	deltasec.exe
2436	deltasec.exe
3096	deltasec.exe
920	deltasec.exe
4856	deltasec.exe
1500	deltasec.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	Jigsaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deltasec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\deltasec\\deltasec.exe"	deltasec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 5932 wrote to memory of 2772	5932	cmd.exe	87
PID 5932 wrote to memory of 2772	5932	cmd.exe	87
PID 5988 wrote to memory of 632	5988	Jigsaw.exe	88
PID 5988 wrote to memory of 632	5988	Jigsaw.exe	88
PID 2008 wrote to memory of 4460	2008	cmd.exe	91
PID 2008 wrote to memory of 4460	2008	cmd.exe	91
PID 5148 wrote to memory of 2492	5148	cmd.exe	94
PID 5148 wrote to memory of 2492	5148	cmd.exe	94
PID 3148 wrote to memory of 1628	3148	cmd.exe	97
PID 3148 wrote to memory of 1628	3148	cmd.exe	97
PID 5228 wrote to memory of 2220	5228	cmd.exe	100
PID 5228 wrote to memory of 2220	5228	cmd.exe	100
PID 4532 wrote to memory of 4692	4532	cmd.exe	104
PID 4532 wrote to memory of 4692	4532	cmd.exe	104
PID 4684 wrote to memory of 2560	4684	cmd.exe	107
PID 4684 wrote to memory of 2560	4684	cmd.exe	107
PID 2556 wrote to memory of 5832	2556	cmd.exe	110
PID 2556 wrote to memory of 5832	2556	cmd.exe	110
PID 4012 wrote to memory of 2736	4012	cmd.exe	113
PID 4012 wrote to memory of 2736	4012	cmd.exe	113
PID 4836 wrote to memory of 4928	4836	cmd.exe	116
PID 4836 wrote to memory of 4928	4836	cmd.exe	116
PID 5012 wrote to memory of 5160	5012	cmd.exe	119
PID 5012 wrote to memory of 5160	5012	cmd.exe	119
PID 2916 wrote to memory of 3996	2916	cmd.exe	123
PID 2916 wrote to memory of 3996	2916	cmd.exe	123
PID 4728 wrote to memory of 3984	4728	cmd.exe	126
PID 4728 wrote to memory of 3984	4728	cmd.exe	126
PID 2068 wrote to memory of 1192	2068	cmd.exe	129
PID 2068 wrote to memory of 1192	2068	cmd.exe	129
PID 5804 wrote to memory of 4740	5804	cmd.exe	132
PID 5804 wrote to memory of 4740	5804	cmd.exe	132
PID 5260 wrote to memory of 2948	5260	cmd.exe	135
PID 5260 wrote to memory of 2948	5260	cmd.exe	135
PID 5468 wrote to memory of 2972	5468	cmd.exe	138
PID 5468 wrote to memory of 2972	5468	cmd.exe	138
PID 2428 wrote to memory of 5292	2428	cmd.exe	141
PID 2428 wrote to memory of 5292	2428	cmd.exe	141
PID 2400 wrote to memory of 5768	2400	cmd.exe	144
PID 2400 wrote to memory of 5768	2400	cmd.exe	144
PID 2680 wrote to memory of 2436	2680	cmd.exe	147
PID 2680 wrote to memory of 2436	2680	cmd.exe	147
PID 6100 wrote to memory of 3096	6100	cmd.exe	150
PID 6100 wrote to memory of 3096	6100	cmd.exe	150
PID 3000 wrote to memory of 920	3000	cmd.exe	153
PID 3000 wrote to memory of 920	3000	cmd.exe	153
PID 1924 wrote to memory of 4856	1924	cmd.exe	156
PID 1924 wrote to memory of 4856	1924	cmd.exe	156
PID 4060 wrote to memory of 1500	4060	cmd.exe	161
PID 4060 wrote to memory of 1500	4060	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\Jigsaw.exe
"C:\Users\Admin\AppData\Local\Temp\Jigsaw.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5988
- C:\Users\Admin\AppData\Local\deltasec\deltasec.exe
  "C:\Users\Admin\AppData\Local\deltasec\deltasec.exe" C:\Users\Admin\AppData\Local\Temp\Jigsaw.exe
  2⤵
  - Executes dropped EXE
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5932
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5148
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5228
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5804
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5260
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5468
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6100
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:5548
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:60
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:1672
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:4680
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:1320
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6364
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6616
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6704
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6832
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:7056
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:7164
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1008
    3⤵
    PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6484
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:4456
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:4968
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:872
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1004
    3⤵
    PID:7876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6604
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:4488
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:3660
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:440
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:2376
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6412
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6908
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6968
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:6216
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:3684
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:6748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:5756
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:7196
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:7244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:7276
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:7324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
1⤵
PID:7356
- C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  C:\Users\Admin\AppData\Roaming\deltasec\deltasec.exe
  2⤵
  PID:7404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\deltasec.exe.log

Filesize
518B

MD5
ca6c4bb78d3292868c353efeabc990ab

SHA1
425093c016876e302cfb67113474999b897c35e4

SHA256
6e4f82783db970659c17ab696842145bed41b562f88f700492dd6553a9a37101

SHA512
08bcbfa37c19fe684383191e68ee113cfd97bd786d211afa4c7bf4e2dfcd35ef99e8111d8dff958c150142a888df233952d2afb48856b0d5c7e6b42674d822c6

Download Submit
C:\Users\Admin\AppData\Local\deltasec\deltasec.exe

Filesize
335KB

MD5
44a4d5c0cbd33c189f18018326e8801e

SHA1
533d0a6895ffb5846b6e7bcb738c4056293f91d7

SHA256
f32a14e2a7a2510862c04fdc2e9ae97bb4f444d33dc5394360ad3402548bf687

SHA512
9aa19261579caadeb028f75db52a05e3ef66880df44d21e73cf65ac472ed3b276deaef37227c20af50d821414f2a1df88fb78c985adc0739bab7d0ed3a866205

Download Submit
memory/632-49-0x00007FFD86F60000-0x00007FFD87901000-memory.dmp

Filesize
9.6MB

Download
memory/632-25-0x00007FFD86F60000-0x00007FFD87901000-memory.dmp

Filesize
9.6MB

Download
memory/2772-23-0x00007FFD86F60000-0x00007FFD87901000-memory.dmp

Filesize
9.6MB

Download
memory/2772-48-0x00007FFD86F60000-0x00007FFD87901000-memory.dmp

Filesize
9.6MB

Download
memory/2772-24-0x000000001B1D0000-0x000000001B1D8000-memory.dmp

Filesize
32KB

Download
memory/2772-21-0x00007FFD86F60000-0x00007FFD87901000-memory.dmp

Filesize
9.6MB

Download
memory/5988-3-0x000000001C160000-0x000000001C1FC000-memory.dmp

Filesize
624KB

Download
memory/5988-22-0x00007FFD86F60000-0x00007FFD87901000-memory.dmp

Filesize
9.6MB

Download
memory/5988-6-0x00007FFD86F60000-0x00007FFD87901000-memory.dmp

Filesize
9.6MB

Download
memory/5988-0-0x00007FFD87215000-0x00007FFD87216000-memory.dmp

Filesize
4KB

Download
memory/5988-1-0x00007FFD86F60000-0x00007FFD87901000-memory.dmp

Filesize
9.6MB

Download
memory/5988-2-0x000000001BBF0000-0x000000001C0BE000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads