Overview

overview

10

Static

static

10

7c774062bc...14.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    202s
  • max time network
    224s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-es
  • submitted
    23-04-2022 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14.exe

  • Size

    500KB

  • MD5

    dfe4dcc5c1ecd6cc9fea2373c672c326

  • SHA1

    11e399bed1a2e4ac51dfbae16a21f1adaff7c95f

  • SHA256

    7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14

  • SHA512

    9f9e43601a88c386026d58e0f95785a97d86b228dbe5bb168dec90297c0480d8ba9aa07bdd92b90b0033dd098c2f1da17c72a1b05678fb2d6db43b254dbb1523

Score
10/10
mespinozaransomwarespywarestealer

Malware Config

Signatures

  • Mespinoza Ransomware 2 TTPs

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    ransomwaremespinoza
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 12 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14.exe
    "C:\Users\Admin\AppData\Local\Temp\7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2844
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
        PID:4728
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:100
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4844
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Readme.README
          2⤵
            PID:3936
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4744
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\Readme.README
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:2880
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
          1⤵
            PID:2340
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa3928855 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:3652

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          3
          T1012

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Data Encrypted for Impact

          1
          T1486

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Readme.README
            Filesize

            1KB

            MD5

            8fa5fddeb156cdf21f2cfa21ecdf9c39

            SHA1

            dbcd4cb518f6bcc91487ad653585f6112bae8536

            SHA256

            7bc05b205080f8136fbe77e57b6a05dc031ccf99a5951f30298a5554f1ede263

            SHA512

            0fde4ee75e07fa0b12d0d1b38e36ffa170d9cfe225d95ab5385e8cc91a9fec2f5f70f98e94ee58b5db0d383f1fde796daf5eba62f615430cae46f84fdda80689

            Download Submit
          • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
            Filesize

            66KB

            MD5

            6942be83233f560637018348f63d4fb6

            SHA1

            ac6cae4cd43e47a3ad52b84587a248eb939740c8

            SHA256

            3a57fc616a3c821246f3776767149225e138fb4310537e3c74fd9d819adc7153

            SHA512

            1caf07f0cc6b0f270d1d5a1ada8445a103dfb9de0ab318aaa76f57c93caf815e3fb0d0a88d63ecf13e5511b882a0d5ccb57565ea310209f7243a6fc3ff52ad9b

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
            Filesize

            28KB

            MD5

            c643c5b1b433c02a48785925d5090edf

            SHA1

            154e0bb6b99ca4249814d40888d26b1a3062978b

            SHA256

            1f5a2c842c6d7e8484e9adce9a4a1e10746a72d58d1abab3dbdc709998a023e6

            SHA512

            91b400bd7a4be9b91b11e4f20a6c063e89bd01fdfc7a75f9ded927873eac3904ac228ae70fd7b9a9ee8158b7a1daab93e580041d2cbf6d1e5c62e9f122be44c5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\update.bat
            Filesize

            339B

            MD5

            ddce49e7b287b095dd7c1330cbee036d

            SHA1

            b82a73917476762f81f163252fc45064c686f659

            SHA256

            45ddf536b6b773f743fa33bd8a10011f3b26bd2cd4897197a54e6d8e1bd927e5

            SHA512

            57ae36ec3fbf954e60d7c615837d7ecd2265059da5136f8dc14dc0997b32abc4643353ff88cee219702e859f354e83933bf04a1574bc80346e8a7027a741e111

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Readme.README
            Filesize

            1KB

            MD5

            8fa5fddeb156cdf21f2cfa21ecdf9c39

            SHA1

            dbcd4cb518f6bcc91487ad653585f6112bae8536

            SHA256

            7bc05b205080f8136fbe77e57b6a05dc031ccf99a5951f30298a5554f1ede263

            SHA512

            0fde4ee75e07fa0b12d0d1b38e36ffa170d9cfe225d95ab5385e8cc91a9fec2f5f70f98e94ee58b5db0d383f1fde796daf5eba62f615430cae46f84fdda80689

            Download Submit
          • memory/2880-137-0x0000000000000000-mapping.dmp
            Download
          • memory/3936-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4728-131-0x0000000000000000-mapping.dmp
            Download