Analysis Overview
SHA256
14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9
Threat Level: Known bad
The file 14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9 was found to be: Known bad.
Malicious Activity Summary
Jigsaw Ransomware
Executes dropped EXE
Modifies extensions of user files
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-06 02:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-06 02:50
Reported
2022-03-06 02:52
Platform
win7-20220223-en
Max time kernel
4294177s
Max time network
119s
Command Line
Signatures
Jigsaw Ransomware
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Pictures\ResumeApprove.png.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Users\Admin\Pictures\ResumeDisable.png.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Users\Admin\Pictures\SaveSplit.png.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" | C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\7-Zip\Lang\lv.txt.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.bmp | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Simple.dotx.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.locked | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1684 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 1684 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
| PID 1684 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe | C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe
"C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe"
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe
Network
Files
memory/1684-54-0x000007FEF32A0000-0x000007FEF4336000-memory.dmp
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 17f29268c9f1c5d5bca8b2b66cd1044c |
| SHA1 | 16273c67d772dccd1bc9d375b1c9ffa25e83129c |
| SHA256 | 14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9 |
| SHA512 | bd4d3f760de8225626f748f0168188d40c283b1a5525234cb8ff63621ff5f5952c6d6bf6de464485784641ff7aa08d89979ad000d26feb34f44fc231287ab1db |
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
| MD5 | 17f29268c9f1c5d5bca8b2b66cd1044c |
| SHA1 | 16273c67d772dccd1bc9d375b1c9ffa25e83129c |
| SHA256 | 14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9 |
| SHA512 | bd4d3f760de8225626f748f0168188d40c283b1a5525234cb8ff63621ff5f5952c6d6bf6de464485784641ff7aa08d89979ad000d26feb34f44fc231287ab1db |
memory/1684-57-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/1608-59-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/1684-60-0x0000000000B40000-0x0000000000B42000-memory.dmp
memory/1608-58-0x000007FEF32A0000-0x000007FEF4336000-memory.dmp
memory/1684-61-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/1608-62-0x0000000000970000-0x0000000000972000-memory.dmp
memory/1608-63-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/1608-65-0x000000000099A000-0x000000000099B000-memory.dmp
memory/1608-64-0x000000000097B000-0x000000000099A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-06 02:50
Reported
2022-03-06 02:52
Platform
win10v2004-en-20220112
Max time kernel
90s
Max time network
139s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 220 wrote to memory of 3876 | N/A | C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe | C:\Windows\system32\fondue.exe |
| PID 220 wrote to memory of 3876 | N/A | C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe | C:\Windows\system32\fondue.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe
"C:\Users\Admin\AppData\Local\Temp\14ee5fe40e76955ea27cc715dd5849f10ce7dc992c234db67467bbb1757aa8f9.exe"
C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
Network
| Country | Destination | Domain | Proto |
| FR | 51.75.129.204:443 | tcp | |
| LU | 46.226.111.65:9001 | tcp | |
| US | 72.21.91.29:80 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 51.104.164.114:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| KR | 106.244.194.50:80 | tcp |