af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8

General
Target

af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe

Filesize

500KB

Completed

08-04-2021 05:08

Score
10 /10
MD5

d751f54365181f544f908cc9ae3c91c5

SHA1

51cbc9455b7781cf0529f299631e59016fe52e95

SHA256

af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8

Malware Config
Signatures 9

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
  • Mespinoza Ransomware

    Description

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    TTPs

    Query RegistryData Encrypted for Impact
  • Modifies extensions of user files
    af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\FindAdd.png.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File renamedC:\Users\Admin\Pictures\RenameConnect.tif => C:\Users\Admin\Pictures\RenameConnect.tif.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File renamedC:\Users\Admin\Pictures\DisconnectMeasure.tiff => C:\Users\Admin\Pictures\DisconnectMeasure.tiff.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File renamedC:\Users\Admin\Pictures\EnterRequest.raw => C:\Users\Admin\Pictures\EnterRequest.raw.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Users\Admin\Pictures\EnterRequest.raw.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Users\Admin\Pictures\FormatSend.crw.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Users\Admin\Pictures\RenameConnect.tif.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File renamedC:\Users\Admin\Pictures\WatchRename.png => C:\Users\Admin\Pictures\WatchRename.png.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Users\Admin\Pictures\ExportGroup.png.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File renamedC:\Users\Admin\Pictures\FindAdd.png => C:\Users\Admin\Pictures\FindAdd.png.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File renamedC:\Users\Admin\Pictures\FormatSend.crw => C:\Users\Admin\Pictures\FormatSend.crw.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Users\Admin\Pictures\OpenEnter.tif.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Users\Admin\Pictures\WatchRename.png.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Users\Admin\Pictures\DisconnectMeasure.tiff.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File renamedC:\Users\Admin\Pictures\ExportGroup.png => C:\Users\Admin\Pictures\ExportGroup.png.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File renamedC:\Users\Admin\Pictures\OpenEnter.tif => C:\Users\Admin\Pictures\OpenEnter.tif.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    556cmd.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Drops file in Program Files directory
    af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\7-Zip\Lang\ku-ckb.txt.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\VideoLAN\VLC\plugins\logger\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\management\jmxremote.access.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODEXL.DLL.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.ELM.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\Java\jre7\lib\zi\Asia\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\mng.txt.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files (x86)\Reference Assemblies\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Africa\Cairo.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PREVIEW.GIF.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\cs.txt.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\tr.txt.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\kn\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\sv\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\deploy\ffjcext.zip.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\ne.txt.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\te\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File createdC:\Program Files (x86)\Windows Sidebar\Gadgets\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.DLL.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\ja.txt.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\AUTHORS.txt.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.pysaaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
  • Drops file in Windows directory
    af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Readme.READMEaf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of WriteProcessMemory
    af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1108 wrote to memory of 5561108af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.execmd.exe
    PID 1108 wrote to memory of 5561108af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.execmd.exe
    PID 1108 wrote to memory of 5561108af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.execmd.exe
    PID 1108 wrote to memory of 5561108af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.execmd.exe
    PID 1108 wrote to memory of 5561108af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.execmd.exe
    PID 1108 wrote to memory of 5561108af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.execmd.exe
    PID 1108 wrote to memory of 5561108af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.execmd.exe
  • System policy modification
    af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a0052006f006200650072007400470075006e00740068006500720040006f006e0069006f006e006d00610069006c002e006f00720067000d000a004a00650061006e00650074007400650043006f006f006b0040006f006e0069006f006e006d00610069006c002e006f00720067000d000a004a006500660066006500720079005f00480061006d006d006f006e00640073004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f00770071006d0066007a006e00690032006e0076006200620070006b00320035002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe
    "C:\Users\Admin\AppData\Local\Temp\af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8.exe"
    Modifies extensions of user files
    Drops file in Program Files directory
    Drops file in Windows directory
    Suspicious use of WriteProcessMemory
    System policy modification
    PID:1108
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      Deletes itself
      PID:556
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\update.bat

                  MD5

                  2f88c475db8b20969e9234d1faf5f06f

                  SHA1

                  efc05a057ad80c482cb9600d70beda9c1d857289

                  SHA256

                  f0002a081ad6ca7e6b932bb63f2089d9ddf7191892590572022f34cdde7ea108

                  SHA512

                  bfa529272b3c55194dd4bd8ec54089faa0162abd7745d359cbc6729061d37aaab405742b50e9ec2d48a3aaffbb9de8436ed23f2e303e568ca26cc8d57229c172

                • memory/556-3-0x0000000000000000-mapping.dmp

                • memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmp