mespinoza | f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db

General

Target

f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
Size

628KB
MD5

68d717aaa4ca93f1799f5e602553b7e9
SHA1

3ce06540d62a722513145bbd346cdb223ddb17c7
SHA256

f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db
SHA512

e37f2dd5f8110ce6928be726016427216e978fbc2beebdbae2c6f1d1e4454901e260cac4e335358d6c1d44a7abf42bf2f6edaf87264665fed778f03a515a9f26

Score

10^/10

mespinoza ransomware spyware stealer

Malware Config

Signatures

Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
ransomware mespinoza

Query Registry
T1012

Data Encrypted for Impact
T1486

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\LimitConvert.crw.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File renamed	C:\Users\Admin\Pictures\MountBlock.tiff => C:\Users\Admin\Pictures\MountBlock.tiff.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromInitialize.raw => C:\Users\Admin\Pictures\ConvertFromInitialize.raw.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromInitialize.raw.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File renamed	C:\Users\Admin\Pictures\JoinResolve.tiff => C:\Users\Admin\Pictures\JoinResolve.tiff.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File renamed	C:\Users\Admin\Pictures\LimitConvert.crw => C:\Users\Admin\Pictures\LimitConvert.crw.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Users\Admin\Pictures\JoinResolve.tiff.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MountBlock.tiff.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File renamed	C:\Users\Admin\Pictures\CompressUnblock.crw => C:\Users\Admin\Pictures\CompressUnblock.crw.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CompressUnblock.crw.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File renamed	C:\Users\Admin\Pictures\HideSwitch.raw => C:\Users\Admin\Pictures\HideSwitch.raw.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Users\Admin\Pictures\HideSwitch.raw.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\images\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons2x.png.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\dnsns.jar.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner.gif.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_tw_135x40.svg.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg.pysa	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

Drops file in Windows directory 1 IoCs

Processes:

f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

description ioc process

File created C:\Windows\Readme.README f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Readme.README	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

description	pid	process	target process
PID 3596 wrote to memory of 3184	3596	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe	cmd.exe
PID 3596 wrote to memory of 3184	3596	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe	cmd.exe
PID 3596 wrote to memory of 3184	3596	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a004400650062006f0072006100680054007200610073006b0040006f006e0069006f006e006d00610069006c002e006f00720067000d000a0041006c00690073006f006e0052006f0062006c006500730040006f006e0069006f006e006d00610069006c002e006f00720067000d000a004e006100740061006e0053006300680075006c0074007a00360037004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f0070007900730061003200620069007400630035006c00640065007900660061006b00340073006500650072007500710079006d0071007300340073006a00350077007400350071006b0063007100370061006f00790067003400680032006100630071006900650079007700610064002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000	f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe

C:\Users\Admin\AppData\Local\Temp\f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe
"C:\Users\Admin\AppData\Local\Temp\f602319a51dfad374687a6d18f87c9f8e7b9cab956a4993c2ed83e7adad6e2db.bin.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
2⤵
PID:3184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Data Encrypted for Impact

1

T1486

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat
MD5
f19f9658fbc34f071a180ef52de04616

SHA1
f56685f57c769728569a05f22f4cb1b128ae5361

SHA256
59672947f1a3523599211114bcf1f1e5fe786817ded7b87e7c8409e6aa075192

SHA512
c7a913b3f2672c53bd14bcb6b71a1a87de4e737b12835b4065147ef773459a3a9c529021c614d3bb71dac7817bfccfbca7c61a5f36897cd630512d63425ed090

Download Submit
memory/3184-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads