mespinoza | ab0774b4ac9eb7e50c82abad03293ae39b668e81712b6ceb0d35ffe7e330881b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
Size

500KB
MD5

4dc8cae2cfff6ac862aea48b014937bb
SHA1

80486ca4caa5cb4ce42885dcd66d7a1b4a27d5ce
SHA256

ab0774b4ac9eb7e50c82abad03293ae39b668e81712b6ceb0d35ffe7e330881b
SHA512

79eb56d858b21743ca565d22bb56cd3d8e4ecfdf462f03124672dca090c95ca51f8908f8dea22c3631dddba0a1a2bf443f41fdf8bf70e826335bcc56d0def47d
SSDEEP

12288:YLrjOlAQS+OeO+OeNhBBhhBBYIeVZkD097u8HvaEs1Mm7Q:YLrjSGtVGD05u4yVMm

Score

10^/10

mespinoza discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Readme.README

Ransom Note

Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Emails

[email protected]

URLs

http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/

Signatures

Mespinoza Ransomware 2 TTPs
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
ransomware mespinoza

Query Registry
T1012

Data Encrypted for Impact
T1486
Mespinoza family
mespinoza
Renames multiple (3390) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\cacerts.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\selector.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons.png.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Info.plist.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-3x.png.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_selected_18.svg.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\ui-strings.js.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\Windows NT\Accessories\uk-UA\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_fillandsign_18.svg.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.schema.mfl.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig.pysa	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Readme.README	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3680	2520	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe	89
PID 2520 wrote to memory of 3680	2520	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe	89
PID 2520 wrote to memory of 3680	2520	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe	89

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = 48006900200043006f006d00700061006e0079002c000d000a000d000a00450076006500720079002000620079007400650020006f006e00200061006e00790020007400790070006500730020006f006600200079006f0075007200200064006500760069006300650073002000770061007300200065006e0063007200790070007400650064002e000d000a0044006f006e00270074002000740072007900200074006f00200075007300650020006200610063006b007500700073002000620065006300610075007300650020006900740020007700650072006500200065006e006300720079007000740065006400200074006f006f002e000d000a000d000a0054006f002000670065007400200061006c006c00200079006f00750072002000640061007400610020006200610063006b00200063006f006e0074006100630074002000750073003a000d000a00570061006c0074006500720043006f006c006c0069006e0073003700370040006f006e0069006f006e006d00610069006c002e006f00720067000d000a004d0061007200790055006c00720069006300680040006f006e0069006f006e006d00610069006c002e006f00720067000d000a004a0061006d006500730057006f006f006c006c0065007900320033004000700072006f0074006f006e006d00610069006c002e0063006f006d000d000a000d000a0041006c0073006f002c0020006200650020006100770061007200650020007400680061007400200077006500200064006f0077006e006c006f0061006400650064002000660069006c00650073002000660072006f006d00200079006f007500720020007300650072007600650072007300200061006e006400200069006e002000630061007300650020006f00660020006e006f006e002d007000610079006d0065006e0074002000770065002000770069006c006c00200062006500200066006f007200630065006400200074006f002000750070006c006f006100640020007400680065006d0020006f006e0020006f0075007200200077006500620073006900740065002c00200061006e00640020006900660020006e00650063006500730073006100720079002c002000770065002000770069006c006c002000730065006c006c0020007400680065006d0020006f006e00200074006800650020006400610072006b006e00650074002e000d000a0043006800650063006b0020006f007500740020006f0075007200200077006500620073006900740065002c0020007700650020006a00750073007400200070006f00730074006500640020007400680065007200650020006e006500770020007500700064006100740065007300200066006f00720020006f0075007200200070006100720074006e006500720073003a00200068007400740070003a002f002f0070007900730061003200620069007400630035006c00640065007900660061006b00340073006500650072007500710079006d0071007300340073006a00350077007400350071006b0063007100370061006f00790067003400680032006100630071006900650079007700610064002e006f006e0069006f006e002f000d000a002d002d002d002d002d002d002d002d002d002d002d002d002d002d000d000a000d000a004600410051003a000d000a000d000a0031002e000d000a0020002000200051003a00200048006f0077002000630061006e002000490020006d0061006b00650020007300750072006500200079006f007500200064006f006e0027007400200066006f006f006c0069006e00670020006d0065003f000d000a0020002000200041003a00200059006f0075002000630061006e002000730065006e006400200075007300200032002000660069006c006500730028006d0061007800200032006d00620029002e000d000a000d000a0032002e000d000a0020002000200051003a0020005700680061007400200074006f00200064006f00200074006f002000670065007400200061006c006c002000640061007400610020006200610063006b003f000d000a0020002000200041003a00200044006f006e0027007400200072006500730074006100720074002000740068006500200063006f006d00700075007400650072002c00200064006f006e002700740020006d006f00760065002000660069006c0065007300200061006e0064002000770072006900740065002000750073002e000d000a000d000a0033002e000d000a0020002000200051003a0020005700680061007400200074006f002000740065006c006c0020006d007900200062006f00730073003f000d000a0020002000200041003a002000500072006f007400650063007400200059006f00750072002000530079007300740065006d00200041006d00690067006f002e000d000a000d000a000000	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = 50005900530041000000	2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-06_4dc8cae2cfff6ac862aea48b014937bb_luca-stealer_mespinoza.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1486

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
343B

MD5
6c8ead19c98b7ab419ccfc9957477247

SHA1
2f0d2325ab001ec2f982d36ca3d2d5b3cd416ca3

SHA256
48c2750aa53facccd5a60741df9ecd4fc6695b75e4015a9542493b543994ad49

SHA512
d4c37882c3f850405e138e6567a176c39efe8b7653812a57901acacf26c24c7924579787692a4860555db7e4226fc516aaa2157fcc46074eb79cfc6308f823ca

Download Submit
C:\Users\Readme.README

Filesize
895B

MD5
2b6d1c5b5de83cc5932ae40b86d60875

SHA1
c5d85f44181eebb98e6fa398a7239d8c2aef716a

SHA256
7c754b4dad557bbd282e3d956a24cf477e7c3782a9ef792b833be919d6a89445

SHA512
71e0dbb9342586560fcf63b3bdc5813d1c48cf59ddc4e4e21745c057e2ddb77460cf8407a717884b84aafca91fa5ce88fc696ea02ae343a4e21b28e8a1740c4e

Download Submit