Overview

overview

10

Static

static

e9662b4681...le.exe

windows7_x64

10

e9662b4681...le.exe

windows10_x64

10

Analysis

  • max time kernel
    85s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-07-2021 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.sample.exe

  • Size

    504KB

  • MD5

    e9454a2ff16897e177d8a11083850ec7

  • SHA1

    6b6855931e69d27f5f2e2d828fbeb4db91688996

  • SHA256

    e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead

  • SHA512

    9bd01ed32887cecefe3987991f3ae3a0375c1cb1bff8b49f795b000076c26a1bb938476e4383b60a3f1ac5de79f7cd3cf2520ef695908815c0fee55a17dcb021

Score
10/10
mespinozaransomwarespywarestealer

Malware Config

Signatures

  • Mespinoza Ransomware 2 TTPs

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    ransomwaremespinoza
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3912
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
        PID:1380

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Data Encrypted for Impact

    1
    T1486

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini
      MD5

      dacaf4488adbad137e2fbca3b547c944

      SHA1

      c6a1d12e5281c3d29af724333eb0a6cad25a2f63

      SHA256

      9635b27d2a5e2a5e24395a16d2697cc0aa379eb0307d20668266adbb7aa3bf19

      SHA512

      74686a5d18449006921b137908acca3d0d959f9d3c811f2d58d1ef2f6640e74a346e5fb9a11b25591ddb66d9154d71e2025c6a628db96afccda4bd5ac9edeba3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\update.bat
      MD5

      579e0b9242dae68126ea79bc491ef69d

      SHA1

      78aeeb528e7f1987a0b25670e7b117f8c83c1a2a

      SHA256

      300ee3dc1386f54cd6e80ebbaddd4439b445ad0dcd91871c6bedaab93c9f4d6d

      SHA512

      1fe8a6dc7c53a79bc9c8038532e75d6021e6d103fab8c247d8cab3a9bb8d28676c1d86bbc3fb07ced6f228e4a445a676b11fa89ebd0af6b73053d710e92b53a4

      Download Submit
    • memory/1380-115-0x0000000000000000-mapping.dmp
      Download