File name:

2773e3dc59472296cb0024ba7715a64e.exe

Full analysis: https://app.any.run/tasks/e8e04d00-a0b3-4174-b8a9-e22bfa6c4f56
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 05:10:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
jigsaw
ransomware
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 5 sections
MD5:

2773E3DC59472296CB0024BA7715A64E

SHA1:

27D99FBCA067F478BB91CDBCB92F13A828B00859

SHA256:

3AE96F73D805E1D3995253DB4D910300D8442EA603737A1428B613061E7F61E7

SSDEEP:

6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXusy:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

    • JIGSAW has been detected

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

    • Reads security settings of Internet Explorer

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

    • Starts itself from another location

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

    • Reads the date of Windows installation

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

  • INFO

    • Checks supported languages

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)
      • drpbx.exe (PID: 6196)

    • Creates files or folders in the user directory

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

    • Reads the computer name

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)
      • drpbx.exe (PID: 6196)

    • Process checks computer location settings

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

    • The process uses the downloaded file

      • 2773e3dc59472296cb0024ba7715a64e.exe (PID: 4716)

    • Confuser has been detected (YARA)

      • drpbx.exe (PID: 6196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

AssemblyVersion: 37.0.2.5583
ProductVersion: 37.0.2.5583
ProductName: Firefox
OriginalFileName: BitcoinBlackmailer.exe
LegalTrademarks: -
LegalCopyright: Copyright 1999-2012 Firefox and Mozzilla developers. All rights reserved.
InternalName: BitcoinBlackmailer.exe
FileVersion: 37.0.2.5583
FileDescription: Firefox
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 37.0.2.5583
FileVersionNumber: 37.0.2.5583
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x4e00a
UninitializedDataSize: -
InitializedDataSize: 216576
CodeSize: 72704
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2016:03:31 06:28:14+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JIGSAW 2773e3dc59472296cb0024ba7715a64e.exe drpbx.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4716"C:\Users\admin\AppData\Local\Temp\2773e3dc59472296cb0024ba7715a64e.exe" C:\Users\admin\AppData\Local\Temp\2773e3dc59472296cb0024ba7715a64e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
37.0.2.5583
Modules
Images
c:\users\admin\appdata\local\temp\2773e3dc59472296cb0024ba7715a64e.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6196"C:\Users\admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\admin\AppData\Local\Temp\2773e3dc59472296cb0024ba7715a64e.exeC:\Users\admin\AppData\Local\Drpbx\drpbx.exe2773e3dc59472296cb0024ba7715a64e.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Version:
37.0.2.5583
Modules
Images
c:\users\admin\appdata\local\drpbx\drpbx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
589
Read events
588
Write events
1
Delete events
0

Modification events

(PID) Process:(4716) 2773e3dc59472296cb0024ba7715a64e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:firefox.exe
Value:
C:\Users\admin\AppData\Roaming\Frfx\firefox.exe
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
47162773e3dc59472296cb0024ba7715a64e.exeC:\Users\admin\AppData\Roaming\Frfx\firefox.exeexecutable
MD5:2773E3DC59472296CB0024BA7715A64E
SHA256:3AE96F73D805E1D3995253DB4D910300D8442EA603737A1428B613061E7F61E7
47162773e3dc59472296cb0024ba7715a64e.exeC:\Users\admin\AppData\Local\Drpbx\drpbx.exeexecutable
MD5:2773E3DC59472296CB0024BA7715A64E
SHA256:3AE96F73D805E1D3995253DB4D910300D8442EA603737A1428B613061E7F61E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
34
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7056
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7056
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.20.245.138:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
2.20.245.138:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.21.110.146:443
www.bing.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.20.245.138
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.21.110.146
  • 2.21.110.139
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.76
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2773e3dc59472296cb0024ba7715a64e.exe