4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

General
Target

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

Filesize

31MB

Completed

07-07-2021 16:21

Score
10/10
MD5

5e522e76e656ec090c8555b61fbcf226

SHA1

6248d98b60c13b2d89caaa8059d29d4183616047

SHA256

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

Malware Config
Signatures 11

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Jigsaw Ransomware

    Description

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE
    drpbx.exe

    Reported IOCs

    pidprocess
    268drpbx.exe
  • Modifies extensions of user files
    drpbx.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\Pictures\RestoreResize.png.fundrpbx.exe
    File createdC:\Users\Admin\Pictures\SelectUnblock.raw.fundrpbx.exe
    File createdC:\Users\Admin\Pictures\AssertSplit.raw.fundrpbx.exe
    File createdC:\Users\Admin\Pictures\GetRestart.png.fundrpbx.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
  • Drops file in Program Files directory
    drpbx.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.pngdrpbx.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xmldrpbx.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.pngdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.pngdrpbx.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.pngdrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jardrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.fundrpbx.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.pngdrpbx.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.pngdrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.fundrpbx.exe
    File createdC:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.fundrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gifdrpbx.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg.fundrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jardrpbx.exe
    File createdC:\Program Files\7-Zip\Lang\ko.txt.fundrpbx.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.pngdrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jardrpbx.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gifdrpbx.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.pngdrpbx.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.fundrpbx.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.pngdrpbx.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xmldrpbx.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xmldrpbx.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xmldrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jardrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jardrpbx.exe
    File createdC:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.fundrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txtdrpbx.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.pngdrpbx.exe
    File createdC:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip.fundrpbx.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpgdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotxdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gifdrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gifdrpbx.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.pngdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmpdrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jardrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gifdrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.fundrpbx.exe
    File createdC:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip.fundrpbx.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.pngdrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jardrpbx.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gifdrpbx.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.pngdrpbx.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.pngdrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jardrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.fundrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jardrpbx.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.pngdrpbx.exe
    File opened for modificationC:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.pngdrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.pngdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.pngdrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.fundrpbx.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe

    Reported IOCs

    pidprocess
    15164ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
    268drpbx.exe
    268drpbx.exe
    268drpbx.exe
  • Suspicious behavior: GetForegroundWindowSpam
    dw20.exe

    Reported IOCs

    pidprocess
    1424dw20.exe
  • Suspicious use of AdjustPrivilegeToken
    4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege15164ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
    Token: SeDebugPrivilege268drpbx.exe
  • Suspicious use of WriteProcessMemory
    4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1516 wrote to memory of 26815164ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe
    PID 1516 wrote to memory of 26815164ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe
    PID 1516 wrote to memory of 26815164ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe
    PID 268 wrote to memory of 1424268drpbx.exedw20.exe
    PID 268 wrote to memory of 1424268drpbx.exedw20.exe
    PID 268 wrote to memory of 1424268drpbx.exedw20.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
    "C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe"
    Adds Run key to start application
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
      Executes dropped EXE
      Modifies extensions of user files
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 576
        Suspicious behavior: GetForegroundWindowSpam
        PID:1424
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

                  MD5

                  5e522e76e656ec090c8555b61fbcf226

                  SHA1

                  6248d98b60c13b2d89caaa8059d29d4183616047

                  SHA256

                  4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

                  SHA512

                  b1f4a0f0aea64ab76d0635fac5d159a2dd9df73f0944b0bafb66d6bec16e6887e5c412334ffe7418d2609df07ab5732f8fd4c387181d5c33465f499d86c7a2d4

                • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

                  MD5

                  5e522e76e656ec090c8555b61fbcf226

                  SHA1

                  6248d98b60c13b2d89caaa8059d29d4183616047

                  SHA256

                  4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

                  SHA512

                  b1f4a0f0aea64ab76d0635fac5d159a2dd9df73f0944b0bafb66d6bec16e6887e5c412334ffe7418d2609df07ab5732f8fd4c387181d5c33465f499d86c7a2d4

                • memory/268-72-0x00000000020C9000-0x00000000020CB000-memory.dmp

                • memory/268-67-0x00000000020A0000-0x00000000020A2000-memory.dmp

                • memory/268-62-0x0000000000000000-mapping.dmp

                • memory/268-65-0x000007FEF2CB0000-0x000007FEF3D46000-memory.dmp

                • memory/268-68-0x00000000020A6000-0x00000000020C5000-memory.dmp

                • memory/1424-70-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

                • memory/1424-71-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

                • memory/1424-69-0x0000000000000000-mapping.dmp

                • memory/1516-66-0x0000000000626000-0x0000000000645000-memory.dmp

                • memory/1516-61-0x000007FEF2CB0000-0x000007FEF3D46000-memory.dmp

                • memory/1516-60-0x0000000000620000-0x0000000000622000-memory.dmp