Resubmissions
18/09/2024, 11:32
240918-nnb8pazajl 1019/11/2023, 08:48
231119-kqevtahc94 1019/11/2023, 08:33
231119-kf81xaab91 1019/11/2023, 08:31
231119-kenzcaab9x 1016/11/2023, 13:30
231116-qrvkjsdd8t 10Analysis
-
max time kernel
473s -
max time network
446s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2023, 08:48
Behavioral task
behavioral1
Sample
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
Resource
win10v2004-20231023-en
General
-
Target
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe
-
Size
1.2MB
-
MD5
0c8e88877383ccd23a755f429006b437
-
SHA1
69b3d913a3967153d1e91ba1a31ebed839b297ed
-
SHA256
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
-
SHA512
ba5296a84b7107b293d1afd4752157edaa1a3f1059685ecad2ddea9b9221ee9c8092ce5cae6f2f6a4866e25ca0bf66dd3fbc0786b2a26cb708d2cd536dd85041
-
SSDEEP
24576:utP7hdO1s6Skscec1SgnyN9HPFCCNhQI6GOfaFVIVrYwcMavDiZn3m75/J7:gLO1qkscec0gnyN9HPFCCNSI6GOfaFVp
Malware Config
Signatures
-
Detect Rhysida ransomware 4 IoCs
resource yara_rule behavioral2/memory/2316-483-0x0000000000400000-0x0000000000522000-memory.dmp family_rhysida behavioral2/memory/2316-484-0x0000000000400000-0x0000000000522000-memory.dmp family_rhysida behavioral2/memory/2316-485-0x0000000000400000-0x0000000000522000-memory.dmp family_rhysida behavioral2/memory/2316-486-0x0000000000400000-0x0000000000522000-memory.dmp family_rhysida -
Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
-
Renames multiple (1695) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg" reg.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4912 powershell.exe 4912 powershell.exe 4912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4912 powershell.exe Token: SeManageVolumePrivilege 4576 svchost.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 2316 wrote to memory of 3860 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 103 PID 2316 wrote to memory of 3860 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 103 PID 3860 wrote to memory of 548 3860 cmd.exe 104 PID 3860 wrote to memory of 548 3860 cmd.exe 104 PID 548 wrote to memory of 3184 548 cmd.exe 105 PID 548 wrote to memory of 3184 548 cmd.exe 105 PID 2316 wrote to memory of 4352 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 106 PID 2316 wrote to memory of 4352 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 106 PID 4352 wrote to memory of 1592 4352 cmd.exe 107 PID 4352 wrote to memory of 1592 4352 cmd.exe 107 PID 1592 wrote to memory of 3564 1592 cmd.exe 108 PID 1592 wrote to memory of 3564 1592 cmd.exe 108 PID 2316 wrote to memory of 1876 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 109 PID 2316 wrote to memory of 1876 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 109 PID 1876 wrote to memory of 4816 1876 cmd.exe 110 PID 1876 wrote to memory of 4816 1876 cmd.exe 110 PID 4816 wrote to memory of 2980 4816 cmd.exe 111 PID 4816 wrote to memory of 2980 4816 cmd.exe 111 PID 2316 wrote to memory of 4220 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 112 PID 2316 wrote to memory of 4220 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 112 PID 4220 wrote to memory of 4044 4220 cmd.exe 113 PID 4220 wrote to memory of 4044 4220 cmd.exe 113 PID 4044 wrote to memory of 4836 4044 cmd.exe 114 PID 4044 wrote to memory of 4836 4044 cmd.exe 114 PID 2316 wrote to memory of 3268 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 115 PID 2316 wrote to memory of 3268 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 115 PID 3268 wrote to memory of 4168 3268 cmd.exe 116 PID 3268 wrote to memory of 4168 3268 cmd.exe 116 PID 4168 wrote to memory of 4500 4168 cmd.exe 117 PID 4168 wrote to memory of 4500 4168 cmd.exe 117 PID 2316 wrote to memory of 2224 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 118 PID 2316 wrote to memory of 2224 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 118 PID 2224 wrote to memory of 5112 2224 cmd.exe 119 PID 2224 wrote to memory of 5112 2224 cmd.exe 119 PID 5112 wrote to memory of 2784 5112 cmd.exe 120 PID 5112 wrote to memory of 2784 5112 cmd.exe 120 PID 2316 wrote to memory of 3380 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 121 PID 2316 wrote to memory of 3380 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 121 PID 3380 wrote to memory of 4364 3380 cmd.exe 122 PID 3380 wrote to memory of 4364 3380 cmd.exe 122 PID 4364 wrote to memory of 2180 4364 cmd.exe 123 PID 4364 wrote to memory of 2180 4364 cmd.exe 123 PID 2316 wrote to memory of 4832 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 124 PID 2316 wrote to memory of 4832 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 124 PID 4832 wrote to memory of 4416 4832 cmd.exe 125 PID 4832 wrote to memory of 4416 4832 cmd.exe 125 PID 4416 wrote to memory of 1068 4416 cmd.exe 126 PID 4416 wrote to memory of 1068 4416 cmd.exe 126 PID 2316 wrote to memory of 1724 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 127 PID 2316 wrote to memory of 1724 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 127 PID 1724 wrote to memory of 1964 1724 cmd.exe 128 PID 1724 wrote to memory of 1964 1724 cmd.exe 128 PID 2316 wrote to memory of 1492 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 129 PID 2316 wrote to memory of 1492 2316 a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe 129 PID 1492 wrote to memory of 3004 1492 cmd.exe 130 PID 1492 wrote to memory of 3004 1492 cmd.exe 130 PID 3004 wrote to memory of 4912 3004 cmd.exe 131 PID 3004 wrote to memory of 4912 3004 cmd.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe"C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f2⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\system32\cmd.execmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f3⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\system32\reg.exereg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f4⤵PID:3184
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f2⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\system32\cmd.execmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f3⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\reg.exereg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f4⤵PID:3564
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f4⤵PID:2980
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f4⤵PID:4836
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f4⤵
- Sets desktop wallpaper using registry
PID:4500
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f3⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f4⤵PID:2784
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f3⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵PID:2180
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f3⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵PID:1068
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,UpdatePerUserSystemParameters3⤵PID:1964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\cmd.execmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;3⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe" -ErrorAction SilentlyContinue;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD51d46ad90f66560050686f1dda381a6af
SHA1399e868c010a0453fd19c39ab7ddbd0294258ca9
SHA256d16fffe21e66ae6b976c4ea7c8fcd37ca7b624961430144117eaa989e02fced1
SHA51296af5adecd5aea2a38272c47fa4c256ad0e8986a7bab34e9b132610db8c90005d65984dcb7e93d24366c91c3f23442f623340dd14d4eba3de1fb0d7a737c9e6f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82