4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

max time kernel135s
max time network59s
platformwindows7_x64
resourcewin7v20210408
submitted07-07-2021 16:14

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

Filesize

31MB

Completed

07-07-2021 16:21

Score

10^/10

MD5

5e522e76e656ec090c8555b61fbcf226

SHA1

6248d98b60c13b2d89caaa8059d29d4183616047

SHA256

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

Collection

Credential Access

Defense Evasion

Discovery

Persistence

Jigsaw Ransomware

Description

Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

Tags

ransomware jigsaw
Executes dropped EXE
drpbx.exe

Reported IOCs

pid process

268 drpbx.exe

pid	process
268	drpbx.exe

Modifies extensions of user files

drpbx.exe

Description

Ransomware generally changes the extension on encrypted files.

Reported IOCs

description	ioc	process
File created	C:\Users\Admin\Pictures\RestoreResize.png.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\SelectUnblock.raw.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\AssertSplit.raw.fun	drpbx.exe
File created	C:\Users\Admin\Pictures\GetRestart.png.fun	drpbx.exe

Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files

Adds Run key to start application

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

Drops file in Program Files directory

drpbx.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip.fun	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png	drpbx.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.fun	drpbx.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery
Suspicious behavior: EnumeratesProcesses
4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe

Reported IOCs

pid process

1516 4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
268 drpbx.exe
268 drpbx.exe
268 drpbx.exe
Suspicious behavior: GetForegroundWindowSpam
dw20.exe

Reported IOCs

pid process

1424 dw20.exe

pid	process
1516	4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
268	drpbx.exe
268	drpbx.exe
268	drpbx.exe

pid	process
1424	dw20.exe

Suspicious use of AdjustPrivilegeToken

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	1516	4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
Token: SeDebugPrivilege	268	drpbx.exe

Suspicious use of WriteProcessMemory

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe

Reported IOCs

description	pid	process	target process
PID 1516 wrote to memory of 268	1516	4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe	drpbx.exe
PID 1516 wrote to memory of 268	1516	4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe	drpbx.exe
PID 1516 wrote to memory of 268	1516	4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe	drpbx.exe
PID 268 wrote to memory of 1424	268	drpbx.exe	dw20.exe
PID 268 wrote to memory of 1424	268	drpbx.exe	dw20.exe
PID 268 wrote to memory of 1424	268	drpbx.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

"C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe"

Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1516

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

Executes dropped EXE
Modifies extensions of user files
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:268

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 576

Suspicious behavior: GetForegroundWindowSpam

PID:1424

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
MD5
5e522e76e656ec090c8555b61fbcf226

SHA1
6248d98b60c13b2d89caaa8059d29d4183616047

SHA256
4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

SHA512
b1f4a0f0aea64ab76d0635fac5d159a2dd9df73f0944b0bafb66d6bec16e6887e5c412334ffe7418d2609df07ab5732f8fd4c387181d5c33465f499d86c7a2d4

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
MD5
5e522e76e656ec090c8555b61fbcf226

SHA1
6248d98b60c13b2d89caaa8059d29d4183616047

SHA256
4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

SHA512
b1f4a0f0aea64ab76d0635fac5d159a2dd9df73f0944b0bafb66d6bec16e6887e5c412334ffe7418d2609df07ab5732f8fd4c387181d5c33465f499d86c7a2d4

Download Submit
memory/268-72-0x00000000020C9000-0x00000000020CB000-memory.dmp

Download
memory/268-67-0x00000000020A0000-0x00000000020A2000-memory.dmp

Download
memory/268-62-0x0000000000000000-mapping.dmp

Download
memory/268-65-0x000007FEF2CB0000-0x000007FEF3D46000-memory.dmp

Download
memory/268-68-0x00000000020A6000-0x00000000020C5000-memory.dmp

Download
memory/1424-70-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Download
memory/1424-71-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Download
memory/1424-69-0x0000000000000000-mapping.dmp

Download
memory/1516-66-0x0000000000626000-0x0000000000645000-memory.dmp

Download
memory/1516-61-0x000007FEF2CB0000-0x000007FEF3D46000-memory.dmp

Download
memory/1516-60-0x0000000000620000-0x0000000000622000-memory.dmp

Download

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

Filter: none

Description

Tags

Reported IOCs

Description

Tags

Reported IOCs

Description

Tags

TTPs

Tags

TTPs

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title