jigsaw | 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f

General

Target

drpbx.exe
Size

125KB
MD5

7fab69dcc9fbee7ca91bef27dc551f63
SHA1

fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA256

6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512

ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

Score

10^/10

jigsaw persistence ransomware spyware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

taskmgr.exe

description pid process target process

PID 3560 created 2112 3560 taskmgr.exe drpbx.exe
PID 3560 created 2112 3560 taskmgr.exe drpbx.exe
Executes dropped EXE 1 IoCs

Processes:

drpbx.exe

pid process

2112 drpbx.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

drpbx.exe

description ioc process

File created C:\Users\Admin\Pictures\UseInvoke.tif.Professeur drpbx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3560 created 2112	3560	taskmgr.exe	drpbx.exe
PID 3560 created 2112	3560	taskmgr.exe	drpbx.exe

pid	process
2112	drpbx.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\UseInvoke.tif.Professeur	drpbx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

drpbx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	drpbx.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

drpbx.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini drpbx.exe
File opened for modification C:\Windows\assembly\Desktop.ini drpbx.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	drpbx.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	drpbx.exe

Drops file in Program Files directory 64 IoCs

Processes:

drpbx.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\eml.scale-256.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11s.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-200.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.Professeur	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\file_icons.png.Professeur	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SmallLogo.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.Professeur	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.Professeur	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg.Professeur	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2653_24x24x32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-150.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5606_40x40x32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar.Professeur	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\avatar.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.Professeur	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White@2x.png.Professeur	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_de_135x40.svg	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg.Professeur	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png.Professeur	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\excel.x-none.msi.16.x-none.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lr_60x42.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg.Professeur	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png.Professeur	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\images\en-US\windows-main-08294e1b-0ad7-4937-9616-fcbc42ff7ff1.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Goal_3.jpg	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.Professeur	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\dull_tauri.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-white_scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_3.jpg	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js.Professeur	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png	drpbx.exe

Drops file in Windows directory 3 IoCs

Processes:

drpbx.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	drpbx.exe
File created	C:\Windows\assembly\Desktop.ini	drpbx.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3560 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskmgr.exewerfault.exe

description	pid	process
Token: SeDebugPrivilege	3560	taskmgr.exe
Token: SeSystemProfilePrivilege	3560	taskmgr.exe
Token: SeCreateGlobalPrivilege	3560	taskmgr.exe
Token: SeDebugPrivilege	2488	werfault.exe
Token: 33	3560	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3560	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe
3560	taskmgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

drpbx.exechrome.exe

description	pid	process	target process
PID 3008 wrote to memory of 2112	3008	drpbx.exe	drpbx.exe
PID 3008 wrote to memory of 2112	3008	drpbx.exe	drpbx.exe
PID 2052 wrote to memory of 2752	2052	chrome.exe	chrome.exe
PID 2052 wrote to memory of 2752	2052	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\drpbx.exe
"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:2112

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3560

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\79ecef5938984a3c9c83e4f773e06057 /t 2188 /p 2112
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff8247b6e00,0x7ff8247b6e10,0x7ff8247b6e20
2⤵
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
MD5
7fab69dcc9fbee7ca91bef27dc551f63

SHA1
fe272f074373e80e2a00144e0fcc4de6e68cf0e3

SHA256
6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f

SHA512
ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
MD5
7fab69dcc9fbee7ca91bef27dc551f63

SHA1
fe272f074373e80e2a00144e0fcc4de6e68cf0e3

SHA256
6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f

SHA512
ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
7e14ee65865d86bf5f846a2559cbba7d

SHA1
3c0a8b1ef68f0d726cabc6b100e622be82cb4069

SHA256
5328c968651001725e6f1cb7dd79105cf04f2270b0679b897caeae2d6811f9fa

SHA512
b0cb66cfd310d6bb2c7b9ec60d72b0763a9f8df99c9e19aec73fc6676de755bd7febbabf34b0ef22e643987e70bdf27d7831f6841cee198686f59164c121a3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\drpbx.exe.log
MD5
6a0f54467260893b55f9d04c3bad702c

SHA1
177b81fe0d1f2635804306c25e622cc546bbef38

SHA256
74657b15056a650a40c348f59a214432828d761c1ee5f30e222af86f445e5f31

SHA512
6a70e703ecb8b2d46cce99002e31411eaeb2578062dd65378ed9c0a5d53ed2469b9befedd6f7b091bc0192b7152524a72cbf7cd9d611961f7a8946e8434c751e

Download Submit
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
MD5
7fab69dcc9fbee7ca91bef27dc551f63

SHA1
fe272f074373e80e2a00144e0fcc4de6e68cf0e3

SHA256
6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f

SHA512
ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

Download Submit
memory/2112-10-0x00000000009A4000-0x00000000009A5000-memory.dmp

Filesize
4KB

Download
memory/2112-8-0x00007FF81EAB0000-0x00007FF81F450000-memory.dmp

Filesize
9.6MB

Download
memory/2112-9-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/2112-4-0x0000000000000000-mapping.dmp

Download
memory/2112-12-0x00000000009A8000-0x00000000009AA000-memory.dmp

Filesize
8KB

Download
memory/2112-13-0x00000000009AA000-0x00000000009AF000-memory.dmp

Filesize
20KB

Download
memory/2488-15-0x000001F7D0D50000-0x000001F7D0D51000-memory.dmp

Filesize
4KB

Download
memory/2488-14-0x000001F7D0D50000-0x000001F7D0D51000-memory.dmp

Filesize
4KB

Download
memory/2752-17-0x0000000000000000-mapping.dmp

Download
memory/3008-2-0x00007FF81EAB0000-0x00007FF81F450000-memory.dmp

Filesize
9.6MB

Download
memory/3008-3-0x0000000000B40000-0x0000000000B42000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads