Analysis
-
max time kernel
69s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-12-2022 09:22
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe
-
Size
421KB
-
MD5
1ff8649e8f8d0652d583b9a648161d3f
-
SHA1
3441ff983221742ed460f8310e49203b5dc59a15
-
SHA256
9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7
-
SHA512
ff67f2584c3646506ad346bac71676e6dd3923e14136e31613cc4bc6a67fe221e4520c034b7ce8c64a4cf2d5ac18e9c083e5e1a630c211cc29ff78d7685a226d
-
SSDEEP
12288:2w1pOfl/oUzs8vwfzNquSgkE9tSF/aXx:3po/oUNwfpqVrktOc
Score
10/10
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Executes dropped EXE 1 IoCs
pid Process 892 drpbx.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\BlockWatch.raw.fun drpbx.exe File created C:\Users\Admin\Pictures\UnblockWrite.png.fun drpbx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.fun drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif drpbx.exe File created C:\Program Files\7-Zip\Lang\ga.txt.fun drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt drpbx.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml.fun drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.fun drpbx.exe File created C:\Program Files\ImportRead.xml.fun drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif.fun drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1960 wrote to memory of 892 1960 HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe 28 PID 1960 wrote to memory of 892 1960 HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe 28 PID 1960 wrote to memory of 892 1960 HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-9f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:892
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD51ff8649e8f8d0652d583b9a648161d3f
SHA13441ff983221742ed460f8310e49203b5dc59a15
SHA2569f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7
SHA512ff67f2584c3646506ad346bac71676e6dd3923e14136e31613cc4bc6a67fe221e4520c034b7ce8c64a4cf2d5ac18e9c083e5e1a630c211cc29ff78d7685a226d
-
Filesize
421KB
MD51ff8649e8f8d0652d583b9a648161d3f
SHA13441ff983221742ed460f8310e49203b5dc59a15
SHA2569f3c538a1118f82d49a993967c520be4c7f14ad994eb17c4d778e5d7f32241a7
SHA512ff67f2584c3646506ad346bac71676e6dd3923e14136e31613cc4bc6a67fe221e4520c034b7ce8c64a4cf2d5ac18e9c083e5e1a630c211cc29ff78d7685a226d