Overview
overview
10Static
static
049263e712...6c.exe
windows7_x64
10049263e712...6c.exe
windows10_x64
102a2eb971b8...d0.exe
windows7_x64
102a2eb971b8...d0.exe
windows10_x64
1032d6be4f86...f3.exe
windows7_x64
1032d6be4f86...f3.exe
windows10_x64
1039ef1d9afd...d8.exe
windows7_x64
1039ef1d9afd...d8.exe
windows10_x64
103a83805e3a...7e.exe
windows7_x64
103a83805e3a...7e.exe
windows10_x64
10d1b6ee9b71...2b.exe
windows7_x64
10d1b6ee9b71...2b.exe
windows10_x64
10Analysis
-
max time kernel
32s -
max time network
81s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-06-2021 05:59
Static task
static1
Behavioral task
behavioral1
Sample
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
049263e712631a447fd13c8255ed456bcac8b4227502841acd8f229d89dc066c.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
32d6be4f86451871f70590f01ce01e9263abe18286db1272928a23c125e844f3.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
32d6be4f86451871f70590f01ce01e9263abe18286db1272928a23c125e844f3.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
39ef1d9afd248791d765f0deaed6ebaac5416876a705e407cc97a35dad038fd8.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
39ef1d9afd248791d765f0deaed6ebaac5416876a705e407cc97a35dad038fd8.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
3a83805e3ad41c6acd7931a0902b519669b8f38e491357c6f31fa46509f3c77e.exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
3a83805e3ad41c6acd7931a0902b519669b8f38e491357c6f31fa46509f3c77e.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
d1b6ee9b716fe48e51ac4e6bec691366bb08d507773d61a5d14fb15ec5e25e2b.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
d1b6ee9b716fe48e51ac4e6bec691366bb08d507773d61a5d14fb15ec5e25e2b.exe
Resource
win10v20210410
General
-
Target
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe
-
Size
501KB
-
MD5
3f478dec46b01ca3cae11e238095c325
-
SHA1
62c19bfdeefa22c9cb81b4e4d1a34f10fb41a32b
-
SHA256
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0
-
SHA512
f3ed3c1ede86bd4b113fe5ebcd27b79863408132c92ad583e9118604f7914eeb3ba1201e8d48ab641a6de49104e9dd7547369936bbe532a6826404e835856470
Malware Config
Signatures
-
Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exedescription ioc process File renamed C:\Users\Admin\Pictures\BackupAdd.tiff => C:\Users\Admin\Pictures\BackupAdd.tiff.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Users\Admin\Pictures\DebugTrace.png.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File renamed C:\Users\Admin\Pictures\InvokeSearch.tiff => C:\Users\Admin\Pictures\InvokeSearch.tiff.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Users\Admin\Pictures\RedoTrace.png.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File renamed C:\Users\Admin\Pictures\RestartDisable.tif => C:\Users\Admin\Pictures\RestartDisable.tif.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Users\Admin\Pictures\AssertOptimize.png.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File renamed C:\Users\Admin\Pictures\DebugTrace.png => C:\Users\Admin\Pictures\DebugTrace.png.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File renamed C:\Users\Admin\Pictures\RedoTrace.png => C:\Users\Admin\Pictures\RedoTrace.png.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File renamed C:\Users\Admin\Pictures\GrantUndo.raw => C:\Users\Admin\Pictures\GrantUndo.raw.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Users\Admin\Pictures\GrantUndo.raw.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Users\Admin\Pictures\RestartDisable.tif.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File renamed C:\Users\Admin\Pictures\AssertOptimize.png => C:\Users\Admin\Pictures\AssertOptimize.png.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Users\Admin\Pictures\BackupAdd.tiff.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Users\Admin\Pictures\InvokeSearch.tiff.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1132 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.dtd.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.ELM.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Inuvik.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Windows Media Player\Icons\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\WT61ES.LEX.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\WET.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\drive.crx.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Internet Explorer\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\CAPSULES.ELM.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files (x86)\Common Files\microsoft shared\PROOF\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.pysa 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe -
Drops file in Windows directory 1 IoCs
Processes:
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exedescription ioc process File created C:\Windows\Readme.README 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exedescription pid process target process PID 1672 wrote to memory of 1132 1672 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe cmd.exe PID 1672 wrote to memory of 1132 1672 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe cmd.exe PID 1672 wrote to memory of 1132 1672 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe cmd.exe PID 1672 wrote to memory of 1132 1672 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe cmd.exe PID 1672 wrote to memory of 1132 1672 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe cmd.exe PID 1672 wrote to memory of 1132 1672 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe cmd.exe PID 1672 wrote to memory of 1132 1672 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a006c00750065006200650067006700380030003200340040006f006e0069006f006e006d00610069006c002e006f00720067000d000a006d006100790061006b0069006e00670067007700330037003300320040006f006e0069006f006e006d00610069006c002e006f00720067000d000a006c006100750072006900610062006f0072006e0068006100740037003700320032004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f0070007900730061003200620069007400630035006c00640065007900660061006b00340073006500650072007500710079006d0071007300340073006a00350077007400350071006b0063007100370061006f00790067003400680032006100630071006900650079007700610064002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000 2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe"C:\Users\Admin\AppData\Local\Temp\2a2eb971b878f56a0a5762656be6f59ec9623451acf4cf16b8c02e478d044cd0.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\update.batMD5
c05534f4724dc288d497d475ce846e38
SHA1b2faec0a0610260ec162dd2a68e738ed138d86c8
SHA256e8589ef6a93ed0b4e068988206efbe584f0bbd9fa780a6fb0250957d299f29d6
SHA5129cf586d68a213f5d794439f1d5bd7ff87c156081d79691ab89a80773a17541f189b860692ebfcd3f40a6a7e5f2be1fafd0064eb28cfb5ed00155d51da94e2451
-
memory/1132-61-0x0000000000000000-mapping.dmp
-
memory/1672-60-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB