SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918

General
Target

SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

Filesize

291KB

Completed

10-11-2020 02:05

Score
10/10
MD5

5a5c745bf3e97fe2be01880132662f28

SHA1

924af25d379fc88319bc55958db898dbf5054309

SHA256

0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811

Malware Config
Signatures 7

Filter: none

Defense Evasion
Persistence
  • Jigsaw Ransomware

    Description

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE
    drpbx.exe

    Reported IOCs

    pidprocess
    2072drpbx.exe
  • Adds Run key to start application
    SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
  • Drops desktop.ini file(s)
    SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\assembly\Desktop.iniSecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
    File opened for modificationC:\Windows\assembly\Desktop.iniSecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
  • Drops file in Windows directory
    SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\assemblySecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
    File createdC:\Windows\assembly\Desktop.iniSecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
    File opened for modificationC:\Windows\assembly\Desktop.iniSecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
  • Suspicious use of AdjustPrivilegeToken
    SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exedrpbx.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1020SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
    Token: SeDebugPrivilege2072drpbx.exe
  • Suspicious use of WriteProcessMemory
    SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1020 wrote to memory of 20721020SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exedrpbx.exe
    PID 1020 wrote to memory of 20721020SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exedrpbx.exe
    PID 1020 wrote to memory of 20721020SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exedrpbx.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe"
    Adds Run key to start application
    Drops desktop.ini file(s)
    Drops file in Windows directory
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2072
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

                        MD5

                        5a5c745bf3e97fe2be01880132662f28

                        SHA1

                        924af25d379fc88319bc55958db898dbf5054309

                        SHA256

                        0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811

                        SHA512

                        151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10

                      • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

                        MD5

                        5a5c745bf3e97fe2be01880132662f28

                        SHA1

                        924af25d379fc88319bc55958db898dbf5054309

                        SHA256

                        0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811

                        SHA512

                        151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10

                      • memory/1020-0-0x0000000002390000-0x0000000002391000-memory.dmp

                      • memory/1020-1-0x0000000002390000-0x0000000002391000-memory.dmp

                      • memory/2072-3-0x0000000000000000-mapping.dmp

                      • memory/2072-6-0x0000000002210000-0x0000000002211000-memory.dmp