mespinoza | 6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799

General

Target

6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
Size

500KB
MD5

35ac0fcbe2b73a541366f2ef83e801cf
SHA1

a80b1f9f44156bc876b9f1e641745af1a5a77be2
SHA256

6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799
SHA512

8a6e9fe27d5235fdcc1ce8429b891c93330d2dde0687cc7fdd590622314bebf56b3948f169bf913cf0786ab8d30439e1ba4b4ca01739a636c1f7e04df92a05f9

Score

10^/10

mespinoza ransomware spyware stealer

Malware Config

Signatures

Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
ransomware mespinoza

Query Registry
T1012

Data Encrypted for Impact
T1486

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ClearUnpublish.crw => C:\Users\Admin\Pictures\ClearUnpublish.crw.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Users\Admin\Pictures\ClearUnpublish.crw.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File renamed	C:\Users\Admin\Pictures\SkipApprove.crw => C:\Users\Admin\Pictures\SkipApprove.crw.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Users\Admin\Pictures\SkipApprove.crw.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File renamed	C:\Users\Admin\Pictures\UpdateProtect.crw => C:\Users\Admin\Pictures\UpdateProtect.crw.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Users\Admin\Pictures\WriteResolve.tif.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File renamed	C:\Users\Admin\Pictures\OptimizePush.png => C:\Users\Admin\Pictures\OptimizePush.png.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectMove.tif.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File renamed	C:\Users\Admin\Pictures\WriteResolve.tif => C:\Users\Admin\Pictures\WriteResolve.tif.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File renamed	C:\Users\Admin\Pictures\CloseComplete.raw => C:\Users\Admin\Pictures\CloseComplete.raw.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizePush.png.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateProtect.crw.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Users\Admin\Pictures\CloseComplete.raw.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File renamed	C:\Users\Admin\Pictures\ProtectMove.tif => C:\Users\Admin\Pictures\ProtectMove.tif.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Common Files\System\ado\en-US\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\share.svg.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.format.ps1xml.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\adc_logo.png.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\ui-strings.js.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\virgo-new-folder.svg.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.pysa	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

Drops file in Windows directory 1 IoCs

Processes:

6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

description ioc process

File created C:\Windows\Readme.README 6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Readme.README	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

description	pid	process	target process
PID 4092 wrote to memory of 3372	4092	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe	cmd.exe
PID 4092 wrote to memory of 3372	4092	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe	cmd.exe
PID 4092 wrote to memory of 3372	4092	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a004e00690063006f006c0065004500730063006f006200650064006f0040006f006e0069006f006e006d00610069006c002e006f00720067000d000a0053006800610072006f006e00530069006d006d006f006e00730040006f006e0069006f006e006d00610069006c002e006f00720067000d000a00530063006f0074007400480061006d00690074006f006e004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f00770071006d0066007a006e00690032006e0076006200620070006b00320035002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000	6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe

C:\Users\Admin\AppData\Local\Temp\6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe
"C:\Users\Admin\AppData\Local\Temp\6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
2⤵
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Data Encrypted for Impact

1

T1486

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat
MD5
589152556c60550f99f21262a4e27104

SHA1
9cd9c48b41c2310de84516bcc31a4d54d140405a

SHA256
334e3caba33749c9a7b9937e5c7c874fd497063987c5b178ece54826b610a4d2

SHA512
e88dc327608d9e2066289bfe3dc540cb5a3503f9fd36059ac992431be647cfad4430bd386efbb83e90754a833dcee6a483e497546a5becc1cc8f7c87e472c67a

Download Submit
memory/3372-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads