mespinoza | 5fa8c4ab6dc45672099078277903cce8e86ae1e310f24a0dd9862166e3c0e30c

General

Target

scvhost.exe
Size

500KB
MD5

e04becb4c8ff826e5e5aa305dee074bc
SHA1

07bf49663c9c76e4a468a98f2fe3a55977432a39
SHA256

5fa8c4ab6dc45672099078277903cce8e86ae1e310f24a0dd9862166e3c0e30c
SHA512

cb4c086df9395d1ebc68cc576d241e584c454e45db5365ed2196f0529cb6c2cad70b0f061e7fced4d980f10aabf8829f6e69602be8e086f73d9c1aa7d4d48fa2

Score

10^/10

mespinoza ransomware spyware stealer

Malware Config

Signatures

Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
ransomware mespinoza

Query Registry
T1012

Data Encrypted for Impact
T1486

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

scvhost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UpdateUninstall.tif => C:\Users\Admin\Pictures\UpdateUninstall.tif.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateUninstall.tif.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\BlockSkip.crw.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\BlockSync.png.pysa	scvhost.exe
File renamed	C:\Users\Admin\Pictures\MountLimit.png => C:\Users\Admin\Pictures\MountLimit.png.pysa	scvhost.exe
File renamed	C:\Users\Admin\Pictures\TestConfirm.tif => C:\Users\Admin\Pictures\TestConfirm.tif.pysa	scvhost.exe
File renamed	C:\Users\Admin\Pictures\UnprotectSubmit.crw => C:\Users\Admin\Pictures\UnprotectSubmit.crw.pysa	scvhost.exe
File renamed	C:\Users\Admin\Pictures\BlockSkip.crw => C:\Users\Admin\Pictures\BlockSkip.crw.pysa	scvhost.exe
File renamed	C:\Users\Admin\Pictures\ExpandUnlock.crw => C:\Users\Admin\Pictures\ExpandUnlock.crw.pysa	scvhost.exe
File renamed	C:\Users\Admin\Pictures\GrantReceive.tiff => C:\Users\Admin\Pictures\GrantReceive.tiff.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\GrantReceive.tiff.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\SetExit.crw.pysa	scvhost.exe
File renamed	C:\Users\Admin\Pictures\SetExit.crw => C:\Users\Admin\Pictures\SetExit.crw.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectSubmit.crw.pysa	scvhost.exe
File renamed	C:\Users\Admin\Pictures\BlockSync.png => C:\Users\Admin\Pictures\BlockSync.png.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandUnlock.crw.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\MountLimit.png.pysa	scvhost.exe
File opened for modification	C:\Users\Admin\Pictures\TestConfirm.tif.pysa	scvhost.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1688 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1688	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

scvhost.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\Readme.README	scvhost.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Readme.README	scvhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.pysa	scvhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.pysa	scvhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.pysa	scvhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo.pysa	scvhost.exe
File created	C:\Program Files\Windows Journal\fr-FR\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt.pysa	scvhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.pysa	scvhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp.pysa	scvhost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\Readme.README	scvhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.ELM.pysa	scvhost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\Readme.README	scvhost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.pysa	scvhost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar.pysa	scvhost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\Readme.README	scvhost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.pysa	scvhost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\Readme.README	scvhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx.pysa	scvhost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar.pysa	scvhost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\Readme.README	scvhost.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\Readme.README	scvhost.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Readme.README	scvhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.pysa	scvhost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb.pysa	scvhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.pysa	scvhost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.pysa	scvhost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\Readme.README	scvhost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\Readme.README	scvhost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\Readme.README	scvhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF.pysa	scvhost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\Readme.README	scvhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.pysa	scvhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT.pysa	scvhost.exe
File created	C:\Program Files\Common Files\Readme.README	scvhost.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\Readme.README	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.pysa	scvhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo.pysa	scvhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf.pysa	scvhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_FR.LEX.pysa	scvhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.pysa	scvhost.exe

Drops file in Windows directory 1 IoCs

Processes:

scvhost.exe

description ioc process

File created C:\Windows\Readme.README scvhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Readme.README	scvhost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

scvhost.exe

description	pid	process	target process
PID 1624 wrote to memory of 1688	1624	scvhost.exe	cmd.exe
PID 1624 wrote to memory of 1688	1624	scvhost.exe	cmd.exe
PID 1624 wrote to memory of 1688	1624	scvhost.exe	cmd.exe
PID 1624 wrote to memory of 1688	1624	scvhost.exe	cmd.exe
PID 1624 wrote to memory of 1688	1624	scvhost.exe	cmd.exe
PID 1624 wrote to memory of 1688	1624	scvhost.exe	cmd.exe
PID 1624 wrote to memory of 1688	1624	scvhost.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a004a006f0068006e004a006500640040006f006e0069006f006e006d00610069006c002e006f00720067000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f0070007900730061003200620069007400630035006c00640065007900660061006b00340073006500650072007500710079006d0071007300340073006a00350077007400350071006b0063007100370061006f00790067003400680032006100630071006900650079007700610064002e006f006e0069006f006e002f000d000a0054006f00200067006f00200074006f0020006f007500720020007300690074006500200079006f00750020006800610076006500200074006f002000750073006500200054004f0052002000420072006f0077007300650072002e00200044006f0077006e006c006f006100640020006c0069006e006b003a002000680074007400700073003a002f002f007700770077002e0074006f007200700072006f006a006500630074002e006f00720067002f0064006f0077006e006c006f00610064002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200069006600200049002000680061007600650020006e006f00200072006500730070006f006e00730065003f000d000a0020002000200041003a0020005700610069007400200061006e0064002000770065002000770069006c006c00200061006e007300770065007200200079006f007500200069006e00200032003400200068006f007500720073002e000d000a000d000a0034002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000	scvhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000	scvhost.exe

C:\Users\Admin\AppData\Local\Temp\scvhost.exe
"C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
2⤵
- Deletes itself
PID:1688

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1280

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1000

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Data Encrypted for Impact

1

T1486

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat
MD5
8b62af0dab0aede04ce53ce7022fcf1c

SHA1
0f5f1d427531c502d8c46348cf5d52fe9d5e6bad

SHA256
f1202f4d1dd1b0d974eed9c7ebe97552522208c860dede4251b6b001f66143d8

SHA512
1884c41110456211f7cb163483bff6128700d9a8164354cf386abd3eaada7aa45e1112fd87adebb75375793a12e7c7785446f2326bf2c54bb6d81050a8f38451

Download Submit
memory/1280-55-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1624-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1688-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads