Overview
overview
10Static
static
049263e712...6c.exe
windows7_x64
10049263e712...6c.exe
windows10_x64
102a2eb971b8...d0.exe
windows7_x64
102a2eb971b8...d0.exe
windows10_x64
1032d6be4f86...f3.exe
windows7_x64
1032d6be4f86...f3.exe
windows10_x64
1039ef1d9afd...d8.exe
windows7_x64
1039ef1d9afd...d8.exe
windows10_x64
103a83805e3a...7e.exe
windows7_x64
103a83805e3a...7e.exe
windows10_x64
10d1b6ee9b71...2b.exe
windows7_x64
10d1b6ee9b71...2b.exe
windows10_x64
10Analysis
-
max time kernel
68s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-06-2021 05:59
Static task
static1
Behavioral task
behavioral1
Sample
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
32d6be4f86451871f70590f01ce01e9263abe18286db1272928a23c125e844f3.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
32d6be4f86451871f70590f01ce01e9263abe18286db1272928a23c125e844f3.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
39ef1d9afd248791d765f0deaed6ebaac5416876a705e407cc97a35dad038fd8.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
39ef1d9afd248791d765f0deaed6ebaac5416876a705e407cc97a35dad038fd8.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
3a83805e3ad41c6acd7931a0902b519669b8f38e491357c6f31fa46509f3c77e.exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
3a83805e3ad41c6acd7931a0902b519669b8f38e491357c6f31fa46509f3c77e.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
d1b6ee9b716fe48e51ac4e6bec691366bb08d507773d61a5d14fb15ec5e25e2b.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
d1b6ee9b716fe48e51ac4e6bec691366bb08d507773d61a5d14fb15ec5e25e2b.exe
Resource
win10v20210410
General
-
Target
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
-
Size
532KB
-
MD5
abdc29577ef646613ecc089bf0a0bf6a
-
SHA1
97760dfeefa72766ec28973c331faad441bfc5f8
-
SHA256
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c
-
SHA512
bfb85082f95182027bb9aa81f1c350784543bef227757b79046c73447fa10a669f4f9d7f5542b60d32bd213663900b4e8651e5fcf356915650d0b058f59bd614
Malware Config
Signatures
-
Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResetExport.raw => C:\Users\Admin\Pictures\ResetExport.raw.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\ResetRepair.png => C:\Users\Admin\Pictures\ResetRepair.png.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\RestartUse.raw.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\ReceiveUnpublish.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\ApproveOptimize.tif.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\CloseResume.tif.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\CompareRename.tif => C:\Users\Admin\Pictures\CompareRename.tif.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\CompareRename.tif.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\ReadResize.crw.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\ReceiveUnpublish.tiff => C:\Users\Admin\Pictures\ReceiveUnpublish.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\ResetExport.raw.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\ApproveOptimize.tif => C:\Users\Admin\Pictures\ApproveOptimize.tif.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\PingInvoke.png => C:\Users\Admin\Pictures\PingInvoke.png.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\PingInvoke.png.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\RestartUse.raw => C:\Users\Admin\Pictures\RestartUse.raw.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\ResumeConvertFrom.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\CloseResume.tif => C:\Users\Admin\Pictures\CloseResume.tif.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Users\Admin\Pictures\ResetRepair.png.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\ResumeConvertFrom.tiff => C:\Users\Admin\Pictures\ResumeConvertFrom.tiff.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File renamed C:\Users\Admin\Pictures\ReadResize.crw => C:\Users\Admin\Pictures\ReadResize.crw.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jdk1.8.0_66\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sv_get.svg.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\s_listview_18.svg.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation2x.png.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\WindowsPowerShell\Modules\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main.css.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\EditSync.gif.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\fillandsign.svg.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\ui-strings.js.pysa 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe -
Drops file in Windows directory 1 IoCs
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription ioc process File created C:\Windows\Readme.README 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription pid process target process PID 808 wrote to memory of 2100 808 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe PID 808 wrote to memory of 2100 808 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe PID 808 wrote to memory of 2100 808 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a006a0049006d006d007900680065006e006400720069006b0040006f006e0069006f006e006d00610069006c002e006f00720067000d000a006a006f0068006e0079006d006100730065003200310040006f006e0069006f006e006d00610069006c002e006f00720067000d000a006a0075007300540031006e007300740072004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f0070007900730061003200620069007400630035006c00640065007900660061006b00340073006500650072007500710079006d0071007300340073006a00350077007400350071006b0063007100370061006f00790067003400680032006100630071006900650079007700610064002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000 049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe"C:\Users\Admin\AppData\Local\Temp\049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\update.batMD5
39299bc70e8b1c222f864b09625040eb
SHA193bc84350a684fe13509648d8eda61d504bc7162
SHA256682132b77f2cdef4ff6567865fbe78d76a4b0f1c55229cb57760e6f72f580464
SHA512177719bfe38dce08ce746a1eb998e54aa51ff53613dc58e834cd0681f2107a1328a3a76b006a8e7aa5d532ee67201153e21559c784fefd7a132f67922a91eca1
-
memory/2100-114-0x0000000000000000-mapping.dmp