rhysida | 687459d587df273184469f7e707c0e5db8fe4e3d4b15756d666891127851680b

Resubmissions

18/09/2024, 11:32

240918-nnb8pazajl 10

19/11/2023, 08:48

19/11/2023, 08:33

19/11/2023, 08:31

16/11/2023, 13:30

Analysis

max time kernel
530s
max time network
364s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
19/11/2023, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
Size

1.2MB
MD5

0c8e88877383ccd23a755f429006b437
SHA1

69b3d913a3967153d1e91ba1a31ebed839b297ed
SHA256

a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
SHA512

ba5296a84b7107b293d1afd4752157edaa1a3f1059685ecad2ddea9b9221ee9c8092ce5cae6f2f6a4866e25ca0bf66dd3fbc0786b2a26cb708d2cd536dd85041
SSDEEP

24576:utP7hdO1s6Skscec1SgnyN9HPFCCNhQI6GOfaFVIVrYwcMavDiZn3m75/J7:gLO1qkscec0gnyN9HPFCCNSI6GOfaFVp

Score

10^/10

rhysida ransomware spyware stealer

Malware Config

Signatures

Detect Rhysida ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/3048-696-0x0000000000400000-0x0000000000522000-memory.dmp	family_rhysida
behavioral1/memory/3048-1206-0x0000000000400000-0x0000000000522000-memory.dmp	family_rhysida

Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
ransomware rhysida
Renames multiple (666) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3744	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3744	AcroRd32.exe
3744	AcroRd32.exe
3744	AcroRd32.exe
1720	AcroRd32.exe
1720	AcroRd32.exe
1720	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
"C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe"
1⤵
PID:3048

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\CriticalBreachDetected.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4088

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Public\Desktop\CriticalBreachDetected.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\CriticalBreachDetected.pdf

Filesize
34KB

MD5
1d46ad90f66560050686f1dda381a6af

SHA1
399e868c010a0453fd19c39ab7ddbd0294258ca9

SHA256
d16fffe21e66ae6b976c4ea7c8fcd37ca7b624961430144117eaa989e02fced1

SHA512
96af5adecd5aea2a38272c47fa4c256ad0e8986a7bab34e9b132610db8c90005d65984dcb7e93d24366c91c3f23442f623340dd14d4eba3de1fb0d7a737c9e6f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

Filesize
7KB

MD5
56a3b9a3768ba32cd712688d0ad21af7

SHA1
5aa194ffaa91c34c10776b46b77c5da9ee2f33a2

SHA256
42f2e8872c4c0ef8e467d7772ca023ac6c75579ea52d5fff9778393021b1d569

SHA512
f2d2183e7f73176bf71d895d02703042b97c82e55371842f8554dff3f86a3994fdc9eb270ae25ef03ab011abf2196291bc7746c7ffaa4d1731de119e2124ce58

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst

Filesize
520B

MD5
53bd58c6f9e020b598f78cbc1dd3000d

SHA1
cb250e18d3d1c8715fda47c33920f7ea19230be5

SHA256
8d115d2a0eaa709aab9914fa77b042601c5f0fbd6179840f4715ce85323cf47c

SHA512
de61dea0d4760483a24fa4d8ecd4dad9ed93d6a4d267b9fc5cd887aa63e3a8a2974f51e2b3a46068f5111d7a575e8a22ffa38f8b03bf08e26a63fbe97678a30b

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\AdobeSysFnt09.lst

Filesize
135KB

MD5
a3e82779d757fb4faf9cc73237c18b8a

SHA1
ea034b8be607b5244f71e3611aea533aba490177

SHA256
d4c9d7a37ef7b1dfa3411ff02127df69b6aab8f3e08abd8dacdaae5fb9fe0d9a

SHA512
b256f6f0e2566d86188ee56c9cf0e5ad28231a92cbea8368a178347ac75fa653f964340db541bddd7c7de7f66b918f2c51a4e8243b504b475c9ac09dd760c44f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
afc156169808860651c973d7e79c7db4

SHA1
18ee15783fa018a19a545a83ab70a991f53fa4ae

SHA256
6c50e7ba625fa078a6899340c327032e0aa83b62ff152a6b111aa17ea82f41fe

SHA512
18e7463a6de93affa15ea3330e78b6354b999e17070028b374b8ae6548050f4979470ac6603ba5d0112a0658494e0aebd00c1944a34e183ebe3bcd36ac6580a3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8742fa021a7973d8535070856459a5c3

SHA1
30fa13c05600723306bb63031229f712d4677c6d

SHA256
24184b03605c080ffd2e08f5db641821dc95f8df04e146c4e261bc8cc02d26c0

SHA512
fc6511f5d4cf315597a8a8b85c40bdfb778b8b2d71267e178140ec068c1cf6b440bdbe953561e13d36d894cc0277f1c664dccd7632058da679d7f7aafeeb3f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin

Filesize
70KB

MD5
888b67a2da8bebdd2f7cac38df89583b

SHA1
834eb0a2df7cf2828867b8e5fa1391a9d8b43937

SHA256
a575a8dbef0aa06d55c3fa35d2391d7ba67c9b11ed98cfa737b90c8e99b0836e

SHA512
3e445fec4da57208640a8ba89ca55edeba01b1480456914a74ccc22edf3ce6cccd2eeec129c9df69e9f095f17c31394c97995272275fc66d6719c9af3810496f

Download Submit
C:\Users\Admin\Desktop\CriticalBreachDetected.pdf

Filesize
34KB

MD5
1d46ad90f66560050686f1dda381a6af

SHA1
399e868c010a0453fd19c39ab7ddbd0294258ca9

SHA256
d16fffe21e66ae6b976c4ea7c8fcd37ca7b624961430144117eaa989e02fced1

SHA512
96af5adecd5aea2a38272c47fa4c256ad0e8986a7bab34e9b132610db8c90005d65984dcb7e93d24366c91c3f23442f623340dd14d4eba3de1fb0d7a737c9e6f

Download Submit
C:\Users\Public\Desktop\CriticalBreachDetected.pdf

Filesize
34KB

MD5
1d46ad90f66560050686f1dda381a6af

SHA1
399e868c010a0453fd19c39ab7ddbd0294258ca9

SHA256
d16fffe21e66ae6b976c4ea7c8fcd37ca7b624961430144117eaa989e02fced1

SHA512
96af5adecd5aea2a38272c47fa4c256ad0e8986a7bab34e9b132610db8c90005d65984dcb7e93d24366c91c3f23442f623340dd14d4eba3de1fb0d7a737c9e6f

Download Submit
memory/3048-696-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3048-1206-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4088-1230-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download