Overview

overview

10

Static

static

10

a864282fea...c6.exe

windows7-x64

10

a864282fea...c6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    687459d587df273184469f7e707c0e5db8fe4e3d4b15756d666891127851680b

  • Size

    436KB

  • Sample

    240918-nvjlcazdjj

  • MD5

    b4df15b5126f301a65ebf0f775304503

  • SHA1

    316fc5db758fea291078a23c97cdf6a9f653a2a5

  • SHA256

    687459d587df273184469f7e707c0e5db8fe4e3d4b15756d666891127851680b

  • SHA512

    e4af16f5234dc037069adccad866e9c794ae0d2bfcc871bfcbaaeeaa83d1060b966c500c1800e2650a3508d994a07d703198bb9c85481ce04b687437a1c565b5

  • SSDEEP

    12288:12zncbhNipABJuK+OuGNkQ7UOklYaQdCSJKm4saHJdA:4ncbapGbZPdATYPyjJdA

Score
10/10
rhysidacredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

Malware Config

Targets

    • Target

      a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6.exe

    • Size

      1.2MB

    • MD5

      0c8e88877383ccd23a755f429006b437

    • SHA1

      69b3d913a3967153d1e91ba1a31ebed839b297ed

    • SHA256

      a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6

    • SHA512

      ba5296a84b7107b293d1afd4752157edaa1a3f1059685ecad2ddea9b9221ee9c8092ce5cae6f2f6a4866e25ca0bf66dd3fbc0786b2a26cb708d2cd536dd85041

    • SSDEEP

      24576:utP7hdO1s6Skscec1SgnyN9HPFCCNhQI6GOfaFVIVrYwcMavDiZn3m75/J7:gLO1qkscec0gnyN9HPFCCNSI6GOfaFVp

    Score
    10/10
    rhysidacredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

    • Detect Rhysida ransomware

    • Rhysida

      Rhysida is a ransomware that is written in C++ and discovered in 2023.

      ransomwarerhysida

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Renames multiple (732) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks