rhysida | 2b541f122ed0f9d8ba7112bb73472463c6ab449aa232b4a91ecd94e2af6099e5

General

Target

sus-exe/temp/start.exe
Size

905KB
MD5

f6e5f0ed974c89e2b4a47989fc987c79
SHA1

1906b34b2b7b30abeea67cf5bd1bd895624d2702
SHA256

d7ba9881345d71862a68080d210643e2c2d3e17fd13065385edcd3b3391898c3
SHA512

f16de7dba20b7443b4c19bed4ed9e8ae82bda2b4b352cbac0aeddc26b18a583ccf8d6d8177fc061f69ea8789a2f224cafef3e01f670aa734695d2a31fc496275
SSDEEP

6144:/I99bj5oxq4BhArStlw0vRK/NMMmJZ/76jOMFMJnUm5cOgdVzOTeE:7IStlw0vRK/6h/7tJnLhgXXE

Score

10^/10

rhysida ransomware spyware stealer

Malware Config

Signatures

Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
ransomware rhysida
Renames multiple (8617) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Drops startup file 1 IoCs

Processes:

start.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf start.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf	start.exe

Drops file in Program Files directory 64 IoCs

Processes:

start.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.rhysida	start.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat.rhysida	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png.rhysida	start.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fr.pak.rhysida	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.rhysida	start.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.rhysida	start.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt.rhysida	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ne.pak.rhysida	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js.rhysida	start.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.rhysida	start.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif.rhysida	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js.rhysida	start.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ro.pak.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.rhysida	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.rhysida	start.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.rhysida	start.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif.rhysida	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js.rhysida	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.rhysida	start.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.rhysida	start.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.rhysida	start.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\ui-strings.js.rhysida	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\ui-strings.js.rhysida	start.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.rhysida	start.exe
File created	C:\Program Files\VideoLAN\VLC\skins\CriticalBreachDetected.pdf	start.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.rhysida	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	start.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.rhysida	start.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js.rhysida	start.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\CriticalBreachDetected.pdf	start.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.92\Locales\sl.pak.rhysida	start.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lb.pak.rhysida	start.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2200 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

start.exe

pid process

2772 start.exe
2772 start.exe

pid	process
2200	PING.EXE

pid	process
2772	start.exe
2772	start.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

start.execmd.execmd.exe

description	pid	process	target process
PID 2772 wrote to memory of 5028	2772	start.exe	cmd.exe
PID 2772 wrote to memory of 5028	2772	start.exe	cmd.exe
PID 5028 wrote to memory of 828	5028	cmd.exe	cmd.exe
PID 5028 wrote to memory of 828	5028	cmd.exe	cmd.exe
PID 828 wrote to memory of 2200	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 2200	828	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\sus-exe\temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\sus-exe\temp\start.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\Admin\AppData\Local\Temp\sus-exe\temp\C:\Users\Admin\AppData\Local\Temp\sus-exe\temp\start.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\cmd.exe
    cmd.exe /c start ping 127.0.0.1 -n 2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\CriticalBreachDetected.pdf

Filesize
111KB

MD5
1a89f87fe9f32b46bee6600ff2053647

SHA1
a215d017a30f0f41116dbebe6b13e4d144962408

SHA256
71c8257174b75afb74598a130a806d5272e551ed9f556dbc4dc8e31f83883293

SHA512
f53b63d0ca57ac8180468ee747da727fb478e1ca7761cfa7c54ef4046bc393baf7a1a268c4870b972cc2858970b33f401ad979375d274a7b3ed4c1ab271e784e

Download Submit
memory/2772-5599-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2772-13204-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2772-13205-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2772-13206-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2772-13207-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing