Resubmissions
09-10-2023 22:49
231009-2ry4hsba26 1006-03-2021 22:23
210306-pfhc83235s 1005-06-2020 02:52
200605-jqylqtyzss 10Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 22:23
Static task
static1
Behavioral task
behavioral1
Sample
drpbx.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
drpbx.exe
Resource
win10v20201028
General
-
Target
drpbx.exe
-
Size
125KB
-
MD5
7fab69dcc9fbee7ca91bef27dc551f63
-
SHA1
fe272f074373e80e2a00144e0fcc4de6e68cf0e3
-
SHA256
6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
-
SHA512
ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
taskmgr.exedescription pid process target process PID 3560 created 2112 3560 taskmgr.exe drpbx.exe PID 3560 created 2112 3560 taskmgr.exe drpbx.exe -
Executes dropped EXE 1 IoCs
Processes:
drpbx.exepid process 2112 drpbx.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
drpbx.exedescription ioc process File created C:\Users\Admin\Pictures\UseInvoke.tif.Professeur drpbx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
drpbx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" drpbx.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
drpbx.exedescription ioc process File created C:\Windows\assembly\Desktop.ini drpbx.exe File opened for modification C:\Windows\assembly\Desktop.ini drpbx.exe -
Drops file in Program Files directory 64 IoCs
Processes:
drpbx.exedescription ioc process File opened for modification C:\Program Files\Common Files\Services\verisign.bmp drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\eml.scale-256.png drpbx.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11s.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-200.png drpbx.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.Professeur drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\file_icons.png.Professeur drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-150.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SmallLogo.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png drpbx.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.Professeur drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.Professeur drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg.Professeur drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2653_24x24x32.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png drpbx.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-150.png drpbx.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5606_40x40x32.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36.png drpbx.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar.Professeur drpbx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\avatar.png drpbx.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.Professeur drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png drpbx.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White@2x.png.Professeur drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_de_135x40.svg drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg.Professeur drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png.Professeur drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\excel.x-none.msi.16.x-none.vreg.dat drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lr_60x42.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg.Professeur drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png.Professeur drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\images\en-US\windows-main-08294e1b-0ad7-4937-9616-fcbc42ff7ff1.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Goal_3.jpg drpbx.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.Professeur drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png drpbx.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\dull_tauri.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-white_scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_3.jpg drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js.Professeur drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png drpbx.exe -
Drops file in Windows directory 3 IoCs
Processes:
drpbx.exedescription ioc process File opened for modification C:\Windows\assembly drpbx.exe File created C:\Windows\assembly\Desktop.ini drpbx.exe File opened for modification C:\Windows\assembly\Desktop.ini drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskmgr.exewerfault.exedescription pid process Token: SeDebugPrivilege 3560 taskmgr.exe Token: SeSystemProfilePrivilege 3560 taskmgr.exe Token: SeCreateGlobalPrivilege 3560 taskmgr.exe Token: SeDebugPrivilege 2488 werfault.exe Token: 33 3560 taskmgr.exe Token: SeIncBasePriorityPrivilege 3560 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe 3560 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
drpbx.exechrome.exedescription pid process target process PID 3008 wrote to memory of 2112 3008 drpbx.exe drpbx.exe PID 3008 wrote to memory of 2112 3008 drpbx.exe drpbx.exe PID 2052 wrote to memory of 2752 2052 chrome.exe chrome.exe PID 2052 wrote to memory of 2752 2052 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\drpbx.exe"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\79ecef5938984a3c9c83e4f773e06057 /t 2188 /p 21121⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff8247b6e00,0x7ff8247b6e10,0x7ff8247b6e202⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exeMD5
7fab69dcc9fbee7ca91bef27dc551f63
SHA1fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA2566f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8
-
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exeMD5
7fab69dcc9fbee7ca91bef27dc551f63
SHA1fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA2566f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
7e14ee65865d86bf5f846a2559cbba7d
SHA13c0a8b1ef68f0d726cabc6b100e622be82cb4069
SHA2565328c968651001725e6f1cb7dd79105cf04f2270b0679b897caeae2d6811f9fa
SHA512b0cb66cfd310d6bb2c7b9ec60d72b0763a9f8df99c9e19aec73fc6676de755bd7febbabf34b0ef22e643987e70bdf27d7831f6841cee198686f59164c121a3fa
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\drpbx.exe.logMD5
6a0f54467260893b55f9d04c3bad702c
SHA1177b81fe0d1f2635804306c25e622cc546bbef38
SHA25674657b15056a650a40c348f59a214432828d761c1ee5f30e222af86f445e5f31
SHA5126a70e703ecb8b2d46cce99002e31411eaeb2578062dd65378ed9c0a5d53ed2469b9befedd6f7b091bc0192b7152524a72cbf7cd9d611961f7a8946e8434c751e
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeMD5
7fab69dcc9fbee7ca91bef27dc551f63
SHA1fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA2566f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8
-
memory/2112-10-0x00000000009A4000-0x00000000009A5000-memory.dmpFilesize
4KB
-
memory/2112-8-0x00007FF81EAB0000-0x00007FF81F450000-memory.dmpFilesize
9.6MB
-
memory/2112-9-0x00000000009A0000-0x00000000009A2000-memory.dmpFilesize
8KB
-
memory/2112-4-0x0000000000000000-mapping.dmp
-
memory/2112-12-0x00000000009A8000-0x00000000009AA000-memory.dmpFilesize
8KB
-
memory/2112-13-0x00000000009AA000-0x00000000009AF000-memory.dmpFilesize
20KB
-
memory/2488-15-0x000001F7D0D50000-0x000001F7D0D51000-memory.dmpFilesize
4KB
-
memory/2488-14-0x000001F7D0D50000-0x000001F7D0D51000-memory.dmpFilesize
4KB
-
memory/2752-17-0x0000000000000000-mapping.dmp
-
memory/3008-2-0x00007FF81EAB0000-0x00007FF81F450000-memory.dmpFilesize
9.6MB
-
memory/3008-3-0x0000000000B40000-0x0000000000B42000-memory.dmpFilesize
8KB