Overview

overview

10

Static

static

049263e712...6c.exe

windows7_x64

10

049263e712...6c.exe

windows10_x64

10

2a2eb971b8...d0.exe

windows7_x64

10

2a2eb971b8...d0.exe

windows10_x64

10

32d6be4f86...f3.exe

windows7_x64

10

32d6be4f86...f3.exe

windows10_x64

10

39ef1d9afd...d8.exe

windows7_x64

10

39ef1d9afd...d8.exe

windows10_x64

10

3a83805e3a...7e.exe

windows7_x64

10

3a83805e3a...7e.exe

windows10_x64

10

d1b6ee9b71...2b.exe

windows7_x64

10

d1b6ee9b71...2b.exe

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    70s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    16-06-2021 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe

  • Size

    532KB

  • MD5

    abdc29577ef646613ecc089bf0a0bf6a

  • SHA1

    97760dfeefa72766ec28973c331faad441bfc5f8

  • SHA256

    049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c

  • SHA512

    bfb85082f95182027bb9aa81f1c350784543bef227757b79046c73447fa10a669f4f9d7f5542b60d32bd213663900b4e8651e5fcf356915650d0b058f59bd614

Score
10/10
mespinozaransomwarespywarestealer

Malware Config

Signatures

  • Mespinoza Ransomware 2 TTPs

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    ransomwaremespinoza
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
    "C:\Users\Admin\AppData\Local\Temp\049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1084
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
      • Deletes itself
      PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Data Encrypted for Impact

1
T1486

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\update.bat
    MD5

    39299bc70e8b1c222f864b09625040eb

    SHA1

    93bc84350a684fe13509648d8eda61d504bc7162

    SHA256

    682132b77f2cdef4ff6567865fbe78d76a4b0f1c55229cb57760e6f72f580464

    SHA512

    177719bfe38dce08ce746a1eb998e54aa51ff53613dc58e834cd0681f2107a1328a3a76b006a8e7aa5d532ee67201153e21559c784fefd7a132f67922a91eca1

    Download Submit
  • memory/516-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1084-59-0x0000000075A31000-0x0000000075A33000-memory.dmp
    Filesize

    8KB

    Download