Overview
overview
10Static
static
049263e712...6c.exe
windows7_x64
10049263e712...6c.exe
windows10_x64
102a2eb971b8...d0.exe
windows7_x64
102a2eb971b8...d0.exe
windows10_x64
1032d6be4f86...f3.exe
windows7_x64
1032d6be4f86...f3.exe
windows10_x64
1039ef1d9afd...d8.exe
windows7_x64
1039ef1d9afd...d8.exe
windows10_x64
103a83805e3a...7e.exe
windows7_x64
103a83805e3a...7e.exe
windows10_x64
10d1b6ee9b71...2b.exe
windows7_x64
10d1b6ee9b71...2b.exe
windows10_x64
10Analysis
-
max time kernel
39s -
max time network
70s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-06-2021 05:59
Static task
static1
Behavioral task
behavioral1
Sample
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
32d6be4f86451871f70590f01ce01e9263abe18286db1272928a23c125e844f3.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
32d6be4f86451871f70590f01ce01e9263abe18286db1272928a23c125e844f3.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
39ef1d9afd248791d765f0deaed6ebaac5416876a705e407cc97a35dad038fd8.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
39ef1d9afd248791d765f0deaed6ebaac5416876a705e407cc97a35dad038fd8.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
3a83805e3ad41c6acd7931a0902b519669b8f38e491357c6f31fa46509f3c77e.exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
3a83805e3ad41c6acd7931a0902b519669b8f38e491357c6f31fa46509f3c77e.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
d1b6ee9b716fe48e51ac4e6bec691366bb08d507773d61a5d14fb15ec5e25e2b.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
d1b6ee9b716fe48e51ac4e6bec691366bb08d507773d61a5d14fb15ec5e25e2b.exe
Resource
win10v20210410
General
-
Target
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
-
Size
532KB
-
MD5
abdc29577ef646613ecc089bf0a0bf6a
-
SHA1
97760dfeefa72766ec28973c331faad441bfc5f8
-
SHA256
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c
-
SHA512
bfb85082f95182027bb9aa81f1c350784543bef227757b79046c73447fa10a669f4f9d7f5542b60d32bd213663900b4e8651e5fcf356915650d0b058f59bd614
Malware Config
Signatures
-
Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UndoRead.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\ExportReceive.tiff => C:\Users\Admin\Pictures\ExportReceive.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\ExportReceive.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\MeasureUpdate.tiff => C:\Users\Admin\Pictures\MeasureUpdate.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\MeasureUpdate.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\UndoRead.tiff => C:\Users\Admin\Pictures\UndoRead.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 516 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\locale\gl\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\IACOM2.DLL.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\PREVIEW.GIF.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\THMBNAIL.PNG.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\VideoLAN\VLC\plugins\lua\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jre7\lib\flavormap.properties.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Windows NT\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\RegisterRedo.xls.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Common Files\System\msadc\en-US\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\DVD Maker\en-US\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jre7\lib\zi\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jre7\lib\management\management.properties.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ca.pak.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe -
Drops file in Windows directory 1 IoCs
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription ioc process File created C:\Windows\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription pid process target process PID 1084 wrote to memory of 516 1084 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe PID 1084 wrote to memory of 516 1084 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe PID 1084 wrote to memory of 516 1084 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe PID 1084 wrote to memory of 516 1084 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe PID 1084 wrote to memory of 516 1084 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe PID 1084 wrote to memory of 516 1084 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe PID 1084 wrote to memory of 516 1084 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a006a0049006d006d007900680065006e006400720069006b0040006f006e0069006f006e006d00610069006c002e006f00720067000d000a006a006f0068006e0079006d006100730065003200310040006f006e0069006f006e006d00610069006c002e006f00720067000d000a006a0075007300540031006e007300740072004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f0070007900730061003200620069007400630035006c00640065007900660061006b00340073006500650072007500710079006d0071007300340073006a00350077007400350071006b0063007100370061006f00790067003400680032006100630071006900650079007700610064002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe"C:\Users\Admin\AppData\Local\Temp\049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\update.batMD5
39299bc70e8b1c222f864b09625040eb
SHA193bc84350a684fe13509648d8eda61d504bc7162
SHA256682132b77f2cdef4ff6567865fbe78d76a4b0f1c55229cb57760e6f72f580464
SHA512177719bfe38dce08ce746a1eb998e54aa51ff53613dc58e834cd0681f2107a1328a3a76b006a8e7aa5d532ee67201153e21559c784fefd7a132f67922a91eca1
-
memory/516-60-0x0000000000000000-mapping.dmp
-
memory/1084-59-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB