Analysis Overview
SHA256
6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
Threat Level: Known bad
The file drpbx.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
Jigsaw Ransomware
Executes dropped EXE
Modifies extensions of user files
Reads user/profile data of web browsers
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-06 22:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-06 22:23
Reported
2021-03-06 22:26
Platform
win7v20201028
Max time kernel
132s
Max time network
133s
Command Line
Signatures
Jigsaw Ransomware
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1924 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 1924 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 1924 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\drpbx.exe
"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe
Network
Files
memory/1924-2-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1924-3-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1924-4-0x0000000001F30000-0x0000000001F32000-memory.dmp
memory/1980-5-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 7fab69dcc9fbee7ca91bef27dc551f63 |
| SHA1 | fe272f074373e80e2a00144e0fcc4de6e68cf0e3 |
| SHA256 | 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f |
| SHA512 | ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8 |
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 7fab69dcc9fbee7ca91bef27dc551f63 |
| SHA1 | fe272f074373e80e2a00144e0fcc4de6e68cf0e3 |
| SHA256 | 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f |
| SHA512 | ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8 |
memory/1980-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1980-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1924-10-0x0000000001F36000-0x0000000001F55000-memory.dmp
memory/1980-11-0x0000000001EC0000-0x0000000001EC2000-memory.dmp
memory/1980-12-0x0000000001EC6000-0x0000000001EE5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-03-06 22:23
Reported
2021-03-06 22:26
Platform
win10v20201028
Max time kernel
150s
Max time network
112s
Command Line
Signatures
Jigsaw Ransomware
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3560 created 2112 | N/A | C:\Windows\system32\taskmgr.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 3560 created 2112 | N/A | C:\Windows\system32\taskmgr.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Pictures\UseInvoke.tif.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\Services\verisign.bmp | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\eml.scale-256.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11s.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-200.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\file_icons.png.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-150.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SmallLogo.scale-125.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2653_24x24x32.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-150.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5606_40x40x32.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\avatar.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_de_135x40.svg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vreg\excel.x-none.msi.16.x-none.vreg.dat | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lr_60x42.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\images\en-US\windows-main-08294e1b-0ad7-4937-9616-fcbc42ff7ff1.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Goal_3.jpg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\dull_tauri.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-white_scale-200.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-200.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_3.jpg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js.Professeur | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-200.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\werfault.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 3008 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\drpbx.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 2052 wrote to memory of 2752 | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
| PID 2052 wrote to memory of 2752 | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\drpbx.exe
"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\79ecef5938984a3c9c83e4f773e06057 /t 2188 /p 2112
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff8247b6e00,0x7ff8247b6e10,0x7ff8247b6e20
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.msftconnecttest.com | udp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
Files
memory/3008-2-0x00007FF81EAB0000-0x00007FF81F450000-memory.dmp
memory/3008-3-0x0000000000B40000-0x0000000000B42000-memory.dmp
memory/2112-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 7fab69dcc9fbee7ca91bef27dc551f63 |
| SHA1 | fe272f074373e80e2a00144e0fcc4de6e68cf0e3 |
| SHA256 | 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f |
| SHA512 | ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8 |
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 7fab69dcc9fbee7ca91bef27dc551f63 |
| SHA1 | fe272f074373e80e2a00144e0fcc4de6e68cf0e3 |
| SHA256 | 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f |
| SHA512 | ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\drpbx.exe.log
| MD5 | 6a0f54467260893b55f9d04c3bad702c |
| SHA1 | 177b81fe0d1f2635804306c25e622cc546bbef38 |
| SHA256 | 74657b15056a650a40c348f59a214432828d761c1ee5f30e222af86f445e5f31 |
| SHA512 | 6a70e703ecb8b2d46cce99002e31411eaeb2578062dd65378ed9c0a5d53ed2469b9befedd6f7b091bc0192b7152524a72cbf7cd9d611961f7a8946e8434c751e |
memory/2112-8-0x00007FF81EAB0000-0x00007FF81F450000-memory.dmp
memory/2112-9-0x00000000009A0000-0x00000000009A2000-memory.dmp
memory/2112-10-0x00000000009A4000-0x00000000009A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe
| MD5 | 7fab69dcc9fbee7ca91bef27dc551f63 |
| SHA1 | fe272f074373e80e2a00144e0fcc4de6e68cf0e3 |
| SHA256 | 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f |
| SHA512 | ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8 |
memory/2112-12-0x00000000009A8000-0x00000000009AA000-memory.dmp
memory/2112-13-0x00000000009AA000-0x00000000009AF000-memory.dmp
memory/2488-15-0x000001F7D0D50000-0x000001F7D0D51000-memory.dmp
memory/2488-14-0x000001F7D0D50000-0x000001F7D0D51000-memory.dmp
memory/2752-17-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 7e14ee65865d86bf5f846a2559cbba7d |
| SHA1 | 3c0a8b1ef68f0d726cabc6b100e622be82cb4069 |
| SHA256 | 5328c968651001725e6f1cb7dd79105cf04f2270b0679b897caeae2d6811f9fa |
| SHA512 | b0cb66cfd310d6bb2c7b9ec60d72b0763a9f8df99c9e19aec73fc6676de755bd7febbabf34b0ef22e643987e70bdf27d7831f6841cee198686f59164c121a3fa |