Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

  • max time kernel
    1689s
  • max time network
    1702s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2022 17:54

General

  • Target

    RansomwareSamples/Pysa_08_04_2021_500KB.exe

  • Size

    500KB

  • MD5

    d751f54365181f544f908cc9ae3c91c5

  • SHA1

    51cbc9455b7781cf0529f299631e59016fe52e95

  • SHA256

    af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8

  • SHA512

    04497dcac535c18247b13634db35a3a53369719696e700ff2c45637c616f6932ba22ddad2e3925055c92e5922f38c34f09ce8d87106f894a7a586ad0d41e6d33

  • SSDEEP

    12288:oDMUibBYoo+OeO+OeNhBBhhBB7TRU+FR+q1mITXimIscFa:KMUiFTTRU+3+qAILfo

Malware Config

Signatures

  • Mespinoza Ransomware 2 TTPs

    Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.

  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Pysa_08_04_2021_500KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Pysa_08_04_2021_500KB.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1424
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
        PID:3868

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\update.bat

      Filesize

      307B

      MD5

      500d20a1c66f984df577ead3578baa6e

      SHA1

      15e4f30890d806ea39c722b7ec3b4ff8c29c3da1

      SHA256

      57274f42114888d8e6d8c48bd02b4cd2f5dd20bb407aa3472a62568f6fb15dfa

      SHA512

      a077bd8671b6c03257739c5a2a5685bc57c57f37b9bbca40d021ea2e3c73fb798cbf3a607426ca18f72909f25b01ddd617946b2942578bfbc191d5a8402aa47e