Analysis
-
max time kernel
128s -
max time network
97s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
01-05-2020 14:11
General
-
Target
rBlbqI2.exe
-
Size
291KB
-
MD5
2fec9bf50de5395f799b23a1099b10d6
-
SHA1
6000969e75d7d7a3fa1b908bdb9d5daeb5f2534e
-
SHA256
df049efbfa7ac0b76c8daff5d792c550c7a7a24f6e9e887d01a01013c9caa763
-
SHA512
5f6885fb1940ee4f84507e2b7929f637d8f264a5c77329aeae31803b772608ea93370177017f90f6f8d8bc9e0b30eb8607ed120d4ead68104fd70feec71a9ab8
Score
10/10
Malware Config
Signatures
-
Drops file in Windows directory 3 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run entry to start application 2 TTPs 1 IoCs
-
Jigsaw
Ransomware family first created in 2016. Named based on wallpaper set after infection.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rBlbqI2.exe"C:\Users\Admin\AppData\Local\Temp\rBlbqI2.exe"1⤵
- Drops file in Windows directory
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\rBlbqI2.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
-
memory/1356-0-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/1356-1-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/1828-5-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB