Resubmissions
09-10-2023 22:49
231009-2ry4hsba26 1006-03-2021 22:23
210306-pfhc83235s 1005-06-2020 02:52
200605-jqylqtyzss 10Analysis
-
max time kernel
132s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-03-2021 22:23
Static task
static1
Behavioral task
behavioral1
Sample
drpbx.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
drpbx.exe
Resource
win10v20201028
General
-
Target
drpbx.exe
-
Size
125KB
-
MD5
7fab69dcc9fbee7ca91bef27dc551f63
-
SHA1
fe272f074373e80e2a00144e0fcc4de6e68cf0e3
-
SHA256
6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
-
SHA512
ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Executes dropped EXE 1 IoCs
Processes:
drpbx.exepid process 1980 drpbx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
drpbx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
drpbx.exedescription pid process target process PID 1924 wrote to memory of 1980 1924 drpbx.exe drpbx.exe PID 1924 wrote to memory of 1980 1924 drpbx.exe drpbx.exe PID 1924 wrote to memory of 1980 1924 drpbx.exe drpbx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\drpbx.exe"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exeMD5
7fab69dcc9fbee7ca91bef27dc551f63
SHA1fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA2566f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exeMD5
7fab69dcc9fbee7ca91bef27dc551f63
SHA1fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA2566f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8
-
memory/1924-2-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1924-3-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1924-4-0x0000000001F30000-0x0000000001F32000-memory.dmpFilesize
8KB
-
memory/1924-10-0x0000000001F36000-0x0000000001F55000-memory.dmpFilesize
124KB
-
memory/1980-5-0x0000000000000000-mapping.dmp
-
memory/1980-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1980-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1980-11-0x0000000001EC0000-0x0000000001EC2000-memory.dmpFilesize
8KB
-
memory/1980-12-0x0000000001EC6000-0x0000000001EE5000-memory.dmpFilesize
124KB