Overview

overview

10

Static

static

10

a864282fea...c6.exe

windows7-x64

10

a864282fea...c6.exe

windows10-2004-x64

10

Resubmissions

18/09/2024, 11:32

240918-nnb8pazajl 10

19/11/2023, 08:48

231119-kqevtahc94 10

19/11/2023, 08:33

231119-kf81xaab91 10

19/11/2023, 08:31

231119-kenzcaab9x 10

16/11/2023, 13:30

231116-qrvkjsdd8t 10

Analysis

  • max time kernel
    1350s
  • max time network
    1141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2023, 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe

  • Size

    1.2MB

  • MD5

    0c8e88877383ccd23a755f429006b437

  • SHA1

    69b3d913a3967153d1e91ba1a31ebed839b297ed

  • SHA256

    a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6

  • SHA512

    ba5296a84b7107b293d1afd4752157edaa1a3f1059685ecad2ddea9b9221ee9c8092ce5cae6f2f6a4866e25ca0bf66dd3fbc0786b2a26cb708d2cd536dd85041

  • SSDEEP

    24576:utP7hdO1s6Skscec1SgnyN9HPFCCNhQI6GOfaFVIVrYwcMavDiZn3m75/J7:gLO1qkscec0gnyN9HPFCCNSI6GOfaFVp

Score
10/10
rhysidaransomwarespywarestealer

Malware Config

Signatures

  • Detect Rhysida ransomware 6 IoCs
  • Rhysida

    Rhysida is a ransomware that is written in C++ and discovered in 2023.

    ransomwarerhysida
  • Renames multiple (1493) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
    "C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\system32\cmd.exe
        cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\system32\reg.exe
          reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
          4⤵
            PID:1480
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\system32\cmd.exe
          cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:940
          • C:\Windows\system32\reg.exe
            reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
            4⤵
              PID:3276
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\system32\cmd.exe
            cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1828
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              4⤵
                PID:2164
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\system32\cmd.exe
              cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:616
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
                4⤵
                  PID:2616
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3972
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3272
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                  • Sets desktop wallpaper using registry
                  PID:4792
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:952
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1356
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                    PID:1428
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3876
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3776
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                    4⤵
                      PID:2332
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2488
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4644
                    • C:\Windows\system32\reg.exe
                      reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                      4⤵
                        PID:4440
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4424
                    • C:\Windows\system32\rundll32.exe
                      rundll32.exe user32.dll,UpdatePerUserSystemParameters
                      3⤵
                        PID:4668
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3016
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3448
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1848

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nuxsl5j1.mam.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • memory/1848-579-0x000001F2EB930000-0x000001F2EB952000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1848-580-0x00007FFFA14B0000-0x00007FFFA1F71000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1848-581-0x000001F2EB920000-0x000001F2EB930000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1848-582-0x000001F2EB920000-0x000001F2EB930000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1848-585-0x00007FFFA14B0000-0x00007FFFA1F71000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2888-281-0x0000000000400000-0x0000000000522000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/2888-565-0x0000000000400000-0x0000000000522000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/2888-566-0x0000000000400000-0x0000000000522000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/2888-567-0x0000000000400000-0x0000000000522000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/2888-568-0x0000000000400000-0x0000000000522000-memory.dmp

                    Filesize

                    1.1MB

                    Download

                  • memory/2888-569-0x0000000000400000-0x0000000000522000-memory.dmp

                    Filesize

                    1.1MB

                    Download