mespinoza | 931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43

General

Target

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
Size

500KB
MD5

3f558a6a53c72b726b42d21fa1faaf83
SHA1

6f5f822260e4deaa859f3f17e81d9349950d9e34
SHA256

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43
SHA512

932442ae873bdd196142d9fc023d8c7ca05eeb55f728aa78dd451aaae5e35c13e701a3ca17bd8d79b8f924901677668275d325e7182d40f71e9b931a7ad568cd

Score

10^/10

mespinoza ransomware spyware stealer

Malware Config

Signatures

Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
ransomware mespinoza

Query Registry
T1012

Data Encrypted for Impact
T1486

Modifies extensions of user files 20 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RevokePush.tiff.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\StepCompress.tif.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\UndoSplit.tif => C:\Users\Admin\Pictures\UndoSplit.tif.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\UndoSplit.tif.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateMerge.raw.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\ConvertExit.raw => C:\Users\Admin\Pictures\ConvertExit.raw.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertExit.raw.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\RevokePush.tiff => C:\Users\Admin\Pictures\RevokePush.tiff.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\UpdateMerge.raw => C:\Users\Admin\Pictures\UpdateMerge.raw.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\BackupMeasure.crw.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\RenamePing.png => C:\Users\Admin\Pictures\RenamePing.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\DismountResume.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\StepCompress.tif => C:\Users\Admin\Pictures\StepCompress.tif.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\SyncEdit.tiff => C:\Users\Admin\Pictures\SyncEdit.tiff.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\SyncEdit.tiff.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\BackupMeasure.crw => C:\Users\Admin\Pictures\BackupMeasure.crw.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\CompressMount.tiff.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Users\Admin\Pictures\RenamePing.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\CompressMount.tiff => C:\Users\Admin\Pictures\CompressMount.tiff.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File renamed	C:\Users\Admin\Pictures\DismountResume.png => C:\Users\Admin\Pictures\DismountResume.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\doh-rollout@mozilla.org.xpi.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklist.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_link_18.svg.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\gu.pak.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateCCFiles_280x192.svg.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons_2x.png.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\logging.properties.pysa	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

Drops file in Windows directory 1 IoCs

Processes:

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

description ioc process

File created C:\Windows\Readme.README 931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Readme.README	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

description	pid	process	target process
PID 1308 wrote to memory of 1044	1308	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe	cmd.exe
PID 1308 wrote to memory of 1044	1308	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe	cmd.exe
PID 1308 wrote to memory of 1044	1308	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a0041006e0064007200690061006e006f00730041006200610072006300610040006f006e0069006f006e006d00610069006c002e006f00720067000d000a0041006e0064007200690061006e0069004100620065006c0040006f006e0069006f006e006d00610069006c002e006f00720067000d000a00410064007200690061006e00690041006700750061004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f00770071006d0066007a006e00690032006e0076006200620070006b00320035002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000	931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe

C:\Users\Admin\AppData\Local\Temp\931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe
"C:\Users\Admin\AppData\Local\Temp\931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
2⤵
PID:1044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Data Encrypted for Impact

1

T1486

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat
MD5
79c47726d14e13408e08f173d4d2c69e

SHA1
51ae7eb08aba4b0c60ff5f22a067ae14531fb93e

SHA256
a2e5cd6212a4b765358dc1be8bf573aca36991541df25efa10a2b8d7041bd08b

SHA512
ecc8913879ee0b50061a621af62c1327814c64cb2f69e04d3a9a32ed0c384741d091787618d370c3430f9e5a56b11a4b424d4f1a23175fa024b6171469281d4e

Download Submit
memory/1044-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads