Analysis
-
max time kernel
101s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 22:49
Static task
static1
Behavioral task
behavioral1
Sample
W71my1HtQm.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
W71my1HtQm.exe
Resource
win10v2004-20220414-en
General
-
Target
W71my1HtQm.exe
-
Size
499KB
-
MD5
339165f63aec8d7fd7798129d0fc68ad
-
SHA1
07f594333ca9db110bbee37a9643988f4cc22933
-
SHA256
0f0014669bc10a7d87472cafc05301c66516857607b920ddeb3039f4cb8f0a50
-
SHA512
5ef9dbe0f29397adf00f0c4ace8f90fd0aba9a0c2016cecff02f68bcef5781bc5dcd32c18d9b54cc8025581ec6494990dd472cdd36c394637799907e5cc55e3b
Malware Config
Signatures
-
Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
W71my1HtQm.exedescription ioc Process File opened for modification C:\Users\Admin\Pictures\UseMove.raw.pysa W71my1HtQm.exe File renamed C:\Users\Admin\Pictures\BackupExport.tif => C:\Users\Admin\Pictures\BackupExport.tif.pysa W71my1HtQm.exe File opened for modification C:\Users\Admin\Pictures\ClearGet.tiff.pysa W71my1HtQm.exe File renamed C:\Users\Admin\Pictures\ConvertToReceive.png => C:\Users\Admin\Pictures\ConvertToReceive.png.pysa W71my1HtQm.exe File opened for modification C:\Users\Admin\Pictures\ConvertToReceive.png.pysa W71my1HtQm.exe File renamed C:\Users\Admin\Pictures\DisableWait.tif => C:\Users\Admin\Pictures\DisableWait.tif.pysa W71my1HtQm.exe File opened for modification C:\Users\Admin\Pictures\DisableWait.tif.pysa W71my1HtQm.exe File renamed C:\Users\Admin\Pictures\ShowSwitch.raw => C:\Users\Admin\Pictures\ShowSwitch.raw.pysa W71my1HtQm.exe File opened for modification C:\Users\Admin\Pictures\ShowSwitch.raw.pysa W71my1HtQm.exe File opened for modification C:\Users\Admin\Pictures\BackupExport.tif.pysa W71my1HtQm.exe File renamed C:\Users\Admin\Pictures\ClearGet.tiff => C:\Users\Admin\Pictures\ClearGet.tiff.pysa W71my1HtQm.exe File renamed C:\Users\Admin\Pictures\UseMove.raw => C:\Users\Admin\Pictures\UseMove.raw.pysa W71my1HtQm.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 760 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
W71my1HtQm.exedescription ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah.pysa W71my1HtQm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.pysa W71my1HtQm.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP.pysa W71my1HtQm.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.pysa W71my1HtQm.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\Readme.README W71my1HtQm.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Readme.README W71my1HtQm.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\Readme.README W71my1HtQm.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\Readme.README W71my1HtQm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\Readme.README W71my1HtQm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT.pysa W71my1HtQm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api.pysa W71my1HtQm.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\BLUECALM.ELM.pysa W71my1HtQm.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.pysa W71my1HtQm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.pysa W71my1HtQm.exe File created C:\Program Files\Windows Media Player\es-ES\Readme.README W71my1HtQm.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\Readme.README W71my1HtQm.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.pysa W71my1HtQm.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html.pysa W71my1HtQm.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.pysa W71my1HtQm.exe File created C:\Program Files (x86)\Windows NT\TableTextService\Readme.README W71my1HtQm.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fil.pak.pysa W71my1HtQm.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\Readme.README W71my1HtQm.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana.pysa W71my1HtQm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.pysa W71my1HtQm.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\Readme.README W71my1HtQm.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\Readme.README W71my1HtQm.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.pysa W71my1HtQm.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Havana.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.pysa W71my1HtQm.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\youtube.crx.pysa W71my1HtQm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo.pysa W71my1HtQm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\Readme.README W71my1HtQm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\Readme.README W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar.pysa W71my1HtQm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar.pysa W71my1HtQm.exe -
Drops file in Windows directory 1 IoCs
Processes:
W71my1HtQm.exedescription ioc Process File created C:\Windows\Readme.README W71my1HtQm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
W71my1HtQm.exedescription pid Process procid_target PID 1052 wrote to memory of 760 1052 W71my1HtQm.exe 32 PID 1052 wrote to memory of 760 1052 W71my1HtQm.exe 32 PID 1052 wrote to memory of 760 1052 W71my1HtQm.exe 32 PID 1052 wrote to memory of 760 1052 W71my1HtQm.exe 32 PID 1052 wrote to memory of 760 1052 W71my1HtQm.exe 32 PID 1052 wrote to memory of 760 1052 W71my1HtQm.exe 32 PID 1052 wrote to memory of 760 1052 W71my1HtQm.exe 32 -
System policy modification 1 TTPs 2 IoCs
Processes:
W71my1HtQm.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a0053007400690076004400750067006c006100730073004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a004c0069006e00640061005300740072007500630068004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000 W71my1HtQm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000 W71my1HtQm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\W71my1HtQm.exe"C:\Users\Admin\AppData\Local\Temp\W71my1HtQm.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
- Deletes itself
PID:760
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD5715e4d1f8655fb52a0126e5a7dae0655
SHA16ef4a6f09ee41b4e252ffb2e6d0468ee2baa7fa8
SHA25641b5704d96abe077590fbd89587d411447555435112688a2a21183e91e98f211
SHA512a3fd655d5eb3fe22bcdb6c47b6d2fc892e152c4e103468864220639e6a740d1906596a639019c5cbe70a4eab00d47a3fcf4d60a4213a4da912bc4cd207b091a7