Overview

overview

10

Static

static

10

44f1def68a...f9.exe

windows7_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-07-2022 06:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44f1def68aef34687bfacf3668e56873f9d603fc6741d5da1209cc55bdc6f1f9.exe

  • Size

    500KB

  • MD5

    6db85bacef3cac6deb69911af522e2b7

  • SHA1

    6aa7b2744a7e3975f0dff3672ec633b687ef5fbd

  • SHA256

    44f1def68aef34687bfacf3668e56873f9d603fc6741d5da1209cc55bdc6f1f9

  • SHA512

    7fbeb7cd7c09eb758e7dbbbe388e742a4d4a5e2933edcc3c0d57d4225918a5b9ac8259ebfcd71ae588e3b459aa5fa2ad8efad635ebc86f271cae7d272e1f8361

Score
10/10
mespinozaransomwarespywarestealer

Malware Config

Signatures

  • Mespinoza Ransomware 2 TTPs

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

    ransomwaremespinoza
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 14 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\44f1def68aef34687bfacf3668e56873f9d603fc6741d5da1209cc55bdc6f1f9.exe
    "C:\Users\Admin\AppData\Local\Temp\44f1def68aef34687bfacf3668e56873f9d603fc6741d5da1209cc55bdc6f1f9.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1376
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
      • Deletes itself
      PID:340
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:936
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x47c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:1788
      • C:\Users\Admin\AppData\Local\Temp\44f1def68aef34687bfacf3668e56873f9d603fc6741d5da1209cc55bdc6f1f9.exe
        "C:\Users\Admin\AppData\Local\Temp\44f1def68aef34687bfacf3668e56873f9d603fc6741d5da1209cc55bdc6f1f9.exe"
        1⤵
          PID:1572
        • C:\Windows\system32\taskmgr.exe
          taskmgr.exe /2
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:284
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Desktop\Readme.README
          1⤵
          • Modifies registry class
          PID:1764
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Desktop\Readme.README
          1⤵
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Readme.README
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:1192

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\update.bat
          Filesize

          339B

          MD5

          2f3a589eeee18720599acdec8b0259b8

          SHA1

          de883a01f7c21201f6b67531fbe75c685173e510

          SHA256

          b140920f6b4908a5f4882df3880daca2dea1cafba59fdb725f4b70a51d00c380

          SHA512

          2dcaac601fbb2a3f389c326834336e6f50a12547eee8c6c56607560c2c81c67fa5196227b3857b20ef8ef200e49ee9070714760787e6381d56fdda59e510d73f

          Download Submit

        • C:\Users\Public\Desktop\Readme.README
          Filesize

          904B

          MD5

          f1e02c73dd4d00f3864128ec2a88d149

          SHA1

          f26ef3010c8fc071dcec48f6da548a6c697d924e

          SHA256

          f4b41945e9a1f5c0c53230c6dfdd514a8f64f1e4ccdb733395b43d830ab9a607

          SHA512

          78682f35934908447319aa34c5e3988d9f6cba842b56e7ac69c4ea81c670f7b4af22563886c4dfc335c68c2b9c1a0c7f4cfd4c03664a3ea039fead0cc21a2283

          Download Submit

        • memory/284-59-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/284-60-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/936-55-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1376-54-0x0000000075361000-0x0000000075363000-memory.dmp

          Filesize

          8KB

          Download