Analysis Overview
SHA256
0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811
Threat Level: Known bad
The file SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918 was found to be: Known bad.
Malicious Activity Summary
Jigsaw Ransomware
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:51
Reported
2020-11-10 02:05
Platform
win7v20201028
Max time kernel
25s
Max time network
27s
Command Line
Signatures
Jigsaw Ransomware
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 684 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 684 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 684 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 684 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe"
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
Network
Files
memory/684-0-0x0000000001F00000-0x0000000001F11000-memory.dmp
\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 5a5c745bf3e97fe2be01880132662f28 |
| SHA1 | 924af25d379fc88319bc55958db898dbf5054309 |
| SHA256 | 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811 |
| SHA512 | 151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10 |
memory/2004-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 5a5c745bf3e97fe2be01880132662f28 |
| SHA1 | 924af25d379fc88319bc55958db898dbf5054309 |
| SHA256 | 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811 |
| SHA512 | 151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10 |
memory/2004-4-0x0000000001F70000-0x0000000001F81000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:51
Reported
2020-11-10 02:05
Platform
win10v20201028
Max time kernel
11s
Max time network
102s
Command Line
Signatures
Jigsaw Ransomware
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1020 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 1020 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 1020 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe"
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.dc.28918.exe
Network
Files
memory/1020-0-0x0000000002390000-0x0000000002391000-memory.dmp
memory/1020-1-0x0000000002390000-0x0000000002391000-memory.dmp
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 5a5c745bf3e97fe2be01880132662f28 |
| SHA1 | 924af25d379fc88319bc55958db898dbf5054309 |
| SHA256 | 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811 |
| SHA512 | 151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10 |
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 5a5c745bf3e97fe2be01880132662f28 |
| SHA1 | 924af25d379fc88319bc55958db898dbf5054309 |
| SHA256 | 0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811 |
| SHA512 | 151e4a07e19350d677e049c57c971b64924150eec007e665843cb6142ec73fc06ae4145c64164d3f7f25a376a7536ac6d9b3c85180503549a0c86f09cc0ded10 |
memory/2072-3-0x0000000000000000-mapping.dmp
memory/2072-6-0x0000000002210000-0x0000000002211000-memory.dmp