Overview

overview

10

Static

static

10

a864282fea...c6.exe

windows7-x64

10

a864282fea...c6.exe

windows10-2004-x64

10

Resubmissions

18/09/2024, 11:32

240918-nnb8pazajl 10

19/11/2023, 08:48

231119-kqevtahc94 10

19/11/2023, 08:33

231119-kf81xaab91 10

19/11/2023, 08:31

231119-kenzcaab9x 10

16/11/2023, 13:30

231116-qrvkjsdd8t 10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2023, 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe

  • Size

    1.2MB

  • MD5

    0c8e88877383ccd23a755f429006b437

  • SHA1

    69b3d913a3967153d1e91ba1a31ebed839b297ed

  • SHA256

    a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6

  • SHA512

    ba5296a84b7107b293d1afd4752157edaa1a3f1059685ecad2ddea9b9221ee9c8092ce5cae6f2f6a4866e25ca0bf66dd3fbc0786b2a26cb708d2cd536dd85041

  • SSDEEP

    24576:utP7hdO1s6Skscec1SgnyN9HPFCCNhQI6GOfaFVIVrYwcMavDiZn3m75/J7:gLO1qkscec0gnyN9HPFCCNSI6GOfaFVp

Score
10/10
rhysidaransomwarespywarestealer

Malware Config

Signatures

  • Detect Rhysida ransomware 3 IoCs
  • Rhysida

    Rhysida is a ransomware that is written in C++ and discovered in 2023.

    ransomwarerhysida
  • Renames multiple (661) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
    "C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\system32\cmd.exe
        cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Windows\system32\reg.exe
          reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
          4⤵
            PID:560
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:696
        • C:\Windows\system32\cmd.exe
          cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\system32\reg.exe
            reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
            4⤵
              PID:2124
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:884
          • C:\Windows\system32\cmd.exe
            cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1900
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              4⤵
                PID:2088
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1672
            • C:\Windows\system32\cmd.exe
              cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1772
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
                4⤵
                  PID:1192
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:836
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2012
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                  • Sets desktop wallpaper using registry
                  PID:1120
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2064
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2400
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                    PID:1748
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2296
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2544
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                    4⤵
                      PID:876
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                  2⤵
                    PID:2504
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                      3⤵
                        PID:3056
                        • C:\Windows\system32\reg.exe
                          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                          4⤵
                            PID:2532
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters
                        2⤵
                          PID:3064
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe user32.dll,UpdatePerUserSystemParameters
                            3⤵
                              PID:2056
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;
                            2⤵
                              PID:2040
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;
                                3⤵
                                  PID:1604
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1580

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/1580-698-0x000000001B480000-0x000000001B762000-memory.dmp

                              Filesize

                              2.9MB

                              Download

                            • memory/1580-699-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/1580-700-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

                              Filesize

                              9.6MB

                              Download

                            • memory/1580-701-0x0000000002A10000-0x0000000002A90000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/1580-702-0x0000000002A10000-0x0000000002A90000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/1580-703-0x0000000002A10000-0x0000000002A90000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/1580-704-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

                              Filesize

                              9.6MB

                              Download

                            • memory/1580-705-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

                              Filesize

                              9.6MB

                              Download

                            • memory/2180-691-0x0000000000400000-0x0000000000522000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/2180-692-0x0000000000400000-0x0000000000522000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/2180-693-0x0000000000400000-0x0000000000522000-memory.dmp

                              Filesize

                              1.1MB

                              Download