Analysis

  • max time kernel
    101s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-05-2022 22:49

General

  • Target

    W71my1HtQm.exe

  • Size

    499KB

  • MD5

    339165f63aec8d7fd7798129d0fc68ad

  • SHA1

    07f594333ca9db110bbee37a9643988f4cc22933

  • SHA256

    0f0014669bc10a7d87472cafc05301c66516857607b920ddeb3039f4cb8f0a50

  • SHA512

    5ef9dbe0f29397adf00f0c4ace8f90fd0aba9a0c2016cecff02f68bcef5781bc5dcd32c18d9b54cc8025581ec6494990dd472cdd36c394637799907e5cc55e3b

Malware Config

Signatures

  • Mespinoza Ransomware 2 TTPs

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\W71my1HtQm.exe
    "C:\Users\Admin\AppData\Local\Temp\W71my1HtQm.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
      • Deletes itself
      PID:760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\update.bat

    Filesize

    231B

    MD5

    715e4d1f8655fb52a0126e5a7dae0655

    SHA1

    6ef4a6f09ee41b4e252ffb2e6d0468ee2baa7fa8

    SHA256

    41b5704d96abe077590fbd89587d411447555435112688a2a21183e91e98f211

    SHA512

    a3fd655d5eb3fe22bcdb6c47b6d2fc892e152c4e103468864220639e6a740d1906596a639019c5cbe70a4eab00d47a3fcf4d60a4213a4da912bc4cd207b091a7

  • memory/760-55-0x0000000000000000-mapping.dmp

  • memory/1052-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

    Filesize

    8KB