Hunting Mespinoza/Pysa

Guide on how to successfully hunt down a Mespinoza/Pysa infected Windows machine.

PowerShell Mespinoza/Pysa Hunt

First, find out where the encrypted files are and what the extension is for those files. This can help find out what exact type of attack was used on the Windows system. Below is the query that can be run on the system to check if there were any ".pysa" extensions.

SELECT * FROM file WHERE path LIKE "C:\Users\%%" AND filename LIKE "%.pysa"

Another telling sign that this is a version of Mespinoza/Pysa would be if the antivirus system was turned off during the attack. Run the following query to see if Windows Defender was turned off during the attack.

SELECT channel, data, datetime FROM windows_eventlog WHERE channel="Application" AND eventid="15" AND data LIKE "%%SNOOZED%%"

With this information, it can be confirmed that the attack took place on March 28, 2022. Check other Windows Logs that took place using this query.

SELECT * FROM windows_eventlog WHERE channel="Security" AND datetime LIKE "2022-03-28%%";
SELECT * FROM windows_eventlog WHERE channel="Application" AND datetime LIKE "2022-03-28%%";
SELECT * FROM windows_eventlog WHERE channel="System" AND datetime LIKE "2022-03-28%%"

This query will pull all the Windows system's logs from March 28, 2022. From there, start to look for other suspicious logs that happened during that time frame. If no logs are looking suspicious, use this Sophos source to take a peek at different suspicious Event IDs to look for. For example, run this below query to see if the Event Log service was ever stopped during that day.

SELECT * FROM windows_eventlog WHERE channel="Security" AND eventid="1100" AND datetime LIKE "2022-03028%%"

Next, check the system registry keys to see if the banner for the ransomware was put in there. Use the following query to pull the system registry keys to check for "legalnoticecaption" and "legalnoticetext".

SELECT data, path FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' AND path LIKE "%%legal%%"

This helps further confirm that it is a version of Pysa that was run on the Windows 10 system. Note that the message includes Proton emails in the message as well, which is something commonly found in Mespinoza/Pysa attacks. The message also contains broken English, which is also a common trait of that attack.

Now, try to find out what version of Mespinoza/Pysa was run on the system. Remember, there are three different versions of this ransomware (Python Archive, Windows Executable, and PowerShell versions). Run the following query to check and see if there was any step1.ps1 or step2.ps1 scripts leftover in the Windows Users directory.

SELECT filename, path, mtime FROM file WHERE path LIKE "C:\Users\%%" AND filename LIKE "step%.ps1"

This confirms that the version of Mespinoza/Pysa that was run on the Windows system was the PowerShell variant of the attack. All of the clues picked up from the above queries confirm this. However, what would it look like if the box was hit with the executable version of Mespinoza/Pysa? Run a couple more queries to show what it would look like if it was the executable version.

Executable Mespinoza/Pysa Hunt

In other instances of Mespinoza/Pysa, suspicious executables may be found that are disguised as legitimate executables. For example, it is common to find a false "svchost.exe" file in the "C:\Windows\Temp" directory. Run a query like below to check and see if there is any false "svchost.exe" in the "C:\Windows\Temp" directory.

SELECT filename, path, size, uid FROM file WHERE path LIKE "C:\Windows\Temp\%%" AND filename="svchost.exe"

In some instances, the executable will be deleted by a batch script after it is executed. Try searching for "update.bat" in the temp directory with the following query.

SELECT filename, path, size, uid FROM file WHERE path LIKE "C:\Windows\Temp\%%" AND filename="update.bat"
PreviousMespinoza/Pysa RansomwareNextPay2Key Ransomware

Last updated