Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1689s -
max time network
1702s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/Pysa_08_04_2021_500KB.exe
-
Size
500KB
-
MD5
d751f54365181f544f908cc9ae3c91c5
-
SHA1
51cbc9455b7781cf0529f299631e59016fe52e95
-
SHA256
af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8
-
SHA512
04497dcac535c18247b13634db35a3a53369719696e700ff2c45637c616f6932ba22ddad2e3925055c92e5922f38c34f09ce8d87106f894a7a586ad0d41e6d33
-
SSDEEP
12288:oDMUibBYoo+OeO+OeNhBBhhBB7TRU+FR+q1mITXimIscFa:KMUiFTTRU+3+qAILfo
Malware Config
Signatures
-
Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DebugApprove.tiff => C:\Users\Admin\Pictures\DebugApprove.tiff.pysa Pysa_08_04_2021_500KB.exe File renamed C:\Users\Admin\Pictures\FindEnable.tif => C:\Users\Admin\Pictures\FindEnable.tif.pysa Pysa_08_04_2021_500KB.exe File renamed C:\Users\Admin\Pictures\PingDebug.crw => C:\Users\Admin\Pictures\PingDebug.crw.pysa Pysa_08_04_2021_500KB.exe File renamed C:\Users\Admin\Pictures\ResumeWait.tiff => C:\Users\Admin\Pictures\ResumeWait.tiff.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Users\Admin\Pictures\DebugApprove.tiff.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Users\Admin\Pictures\FindEnable.tif.pysa Pysa_08_04_2021_500KB.exe File renamed C:\Users\Admin\Pictures\LockGroup.crw => C:\Users\Admin\Pictures\LockGroup.crw.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Users\Admin\Pictures\LockGroup.crw.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Users\Admin\Pictures\PingDebug.crw.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Users\Admin\Pictures\ResumeWait.tiff.pysa Pysa_08_04_2021_500KB.exe File renamed C:\Users\Admin\Pictures\SaveDismount.tif => C:\Users\Admin\Pictures\SaveDismount.tif.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Users\Admin\Pictures\SaveDismount.tif.pysa Pysa_08_04_2021_500KB.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Pysa_08_04_2021_500KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\Readme.README Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files\Java\jdk1.8.0_66\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\ui-strings.js.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview-hover.svg.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\Readme.README Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-nodes.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.strings.psd1.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\ui-strings.js.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cs_get.svg.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\Readme.README Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\Readme.README Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\snmp.acl.template.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\Readme.README Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\ui-strings.js.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Windows NT\TableTextService\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\Readme.README Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons2x.png.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.bat.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\config.ini.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.bfc.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\Readme.README Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\Readme.README Pysa_08_04_2021_500KB.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy.jar.pysa Pysa_08_04_2021_500KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\Readme.README Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.schema.mfl.pysa Pysa_08_04_2021_500KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png.pysa Pysa_08_04_2021_500KB.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Readme.README Pysa_08_04_2021_500KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1424 wrote to memory of 3868 1424 Pysa_08_04_2021_500KB.exe 90 PID 1424 wrote to memory of 3868 1424 Pysa_08_04_2021_500KB.exe 90 PID 1424 wrote to memory of 3868 1424 Pysa_08_04_2021_500KB.exe 90 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000 Pysa_08_04_2021_500KB.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a0052006f006200650072007400470075006e00740068006500720040006f006e0069006f006e006d00610069006c002e006f00720067000d000a004a00650061006e00650074007400650043006f006f006b0040006f006e0069006f006e006d00610069006c002e006f00720067000d000a004a006500660066006500720079005f00480061006d006d006f006e00640073004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f00770071006d0066007a006e00690032006e0076006200620070006b00320035002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000 Pysa_08_04_2021_500KB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Pysa_08_04_2021_500KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Pysa_08_04_2021_500KB.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵PID:3868
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307B
MD5500d20a1c66f984df577ead3578baa6e
SHA115e4f30890d806ea39c722b7ec3b4ff8c29c3da1
SHA25657274f42114888d8e6d8c48bd02b4cd2f5dd20bb407aa3472a62568f6fb15dfa
SHA512a077bd8671b6c03257739c5a2a5685bc57c57f37b9bbca40d021ea2e3c73fb798cbf3a607426ca18f72909f25b01ddd617946b2942578bfbc191d5a8402aa47e