General

  • Target

    9317dfe933c5c58703e0555320b047ca6c85b8bd2af03667cd4e42d1a0984726.bin

  • Size

    541KB

  • Sample

    211224-nb1erachfj

  • MD5

    ccadb45534279d6a27e30c10e1655c7f

  • SHA1

    9b88f4388dd785a09efbafb0b7474447b118e92b

  • SHA256

    9317dfe933c5c58703e0555320b047ca6c85b8bd2af03667cd4e42d1a0984726

  • SHA512

    cac5bb24ed1b6037bec76e0df5409a6139aa7b8b01205b3c515157c16b879ede6fa1b61598f3fddb350395f1d5b5af044ec23ff99030bb4607494cf13f06aa1d

Malware Config

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: AnitaRadke@onionmail.org PatriciaTurner@onionmail.org melany1922@protonmail.com Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Targets

    • Target

      9317dfe933c5c58703e0555320b047ca6c85b8bd2af03667cd4e42d1a0984726.bin

    • Size

      541KB

    • MD5

      ccadb45534279d6a27e30c10e1655c7f

    • SHA1

      9b88f4388dd785a09efbafb0b7474447b118e92b

    • SHA256

      9317dfe933c5c58703e0555320b047ca6c85b8bd2af03667cd4e42d1a0984726

    • SHA512

      cac5bb24ed1b6037bec76e0df5409a6139aa7b8b01205b3c515157c16b879ede6fa1b61598f3fddb350395f1d5b5af044ec23ff99030bb4607494cf13f06aa1d

    • Detect Neshta Payload

    • Mespinoza Ransomware

      Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Impact

Data Encrypted for Impact

1
T1486

Tasks