4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

General
Target

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

Filesize

31MB

Completed

07-07-2021 16:20

Score
10/10
MD5

5e522e76e656ec090c8555b61fbcf226

SHA1

6248d98b60c13b2d89caaa8059d29d4183616047

SHA256

4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

Malware Config
Signatures 10

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Jigsaw Ransomware

    Description

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

  • Executes dropped EXE
    drpbx.exe

    Reported IOCs

    pidprocess
    3348drpbx.exe
  • Modifies extensions of user files
    drpbx.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\Pictures\OutStep.png.fundrpbx.exe
    File createdC:\Users\Admin\Pictures\RenameJoin.tif.fundrpbx.exe
    File createdC:\Users\Admin\Pictures\SyncClear.tif.fundrpbx.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
  • Drops file in Program Files directory
    drpbx.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4642_20x20x32.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\69_20x20x32.pngdrpbx.exe
    File createdC:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.fundrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_20x20x32.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_contrast-black.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated_contrast-white.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-150.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\mask_corners_cardback.pngdrpbx.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\ui-strings.js.fundrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\LargeTile.scale-125.pngdrpbx.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\ui-strings.js.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\ui-strings.jsdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_20x20x32.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bs_16x11.pngdrpbx.exe
    File createdC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gifdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Sounds\Saving_Contact.wavdrpbx.exe
    File createdC:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.fundrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu_back-over.pngdrpbx.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svgdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.pngdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.jsdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\ui-strings.jsdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7739_32x32x32.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.scale-100.pngdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.jsdrpbx.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js.fundrpbx.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png.fundrpbx.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\ui-strings.js.fundrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-100.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ee_16x11.pngdrpbx.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-default.svg.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\ui-strings.jsdrpbx.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\ui-strings.js.fundrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\AppxBlockMap.xmldrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Show.pngdrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xmldrpbx.exe
    File createdC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.fundrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ve_60x42.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xmldrpbx.exe
    File createdC:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.fundrpbx.exe
    File createdC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.fundrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-125.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\spiderassets.xmldrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_cardback.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\WideTile.scale-200.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-200.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40_altform-unplated.pngdrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.pngdrpbx.exe
    File createdC:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.fundrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-16.pngdrpbx.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jardrpbx.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\info.pngdrpbx.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Smiley face.pngdrpbx.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe

    Reported IOCs

    pidprocess
    37364ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
    3348drpbx.exe
  • Suspicious use of AdjustPrivilegeToken
    4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege37364ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
    Token: SeDebugPrivilege3348drpbx.exe
  • Suspicious use of WriteProcessMemory
    4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3736 wrote to memory of 334837364ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe
    PID 3736 wrote to memory of 334837364ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exedrpbx.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
    "C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe"
    Adds Run key to start application
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def.exe
      Executes dropped EXE
      Modifies extensions of user files
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3348
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

                  MD5

                  5e522e76e656ec090c8555b61fbcf226

                  SHA1

                  6248d98b60c13b2d89caaa8059d29d4183616047

                  SHA256

                  4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

                  SHA512

                  b1f4a0f0aea64ab76d0635fac5d159a2dd9df73f0944b0bafb66d6bec16e6887e5c412334ffe7418d2609df07ab5732f8fd4c387181d5c33465f499d86c7a2d4

                • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

                  MD5

                  5e522e76e656ec090c8555b61fbcf226

                  SHA1

                  6248d98b60c13b2d89caaa8059d29d4183616047

                  SHA256

                  4ba36ecc13f6b08e1523fa7f8fd228b739d1f6918c5c7f9779c536b91dbb3def

                  SHA512

                  b1f4a0f0aea64ab76d0635fac5d159a2dd9df73f0944b0bafb66d6bec16e6887e5c412334ffe7418d2609df07ab5732f8fd4c387181d5c33465f499d86c7a2d4

                • memory/3348-120-0x0000000001282000-0x0000000001284000-memory.dmp

                • memory/3348-121-0x0000000001284000-0x0000000001285000-memory.dmp

                • memory/3348-116-0x0000000000000000-mapping.dmp

                • memory/3348-119-0x0000000001280000-0x0000000001282000-memory.dmp

                • memory/3348-122-0x0000000001285000-0x0000000001287000-memory.dmp

                • memory/3348-123-0x000000000128A000-0x000000000128F000-memory.dmp

                • memory/3736-114-0x0000000000B60000-0x0000000000B62000-memory.dmp

                • memory/3736-115-0x0000000000B62000-0x0000000000B64000-memory.dmp