Overview

overview

10

Static

static

10

258ddd7865...95.exe

windows7-x64

10

258ddd7865...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595.exe

  • Size

    418KB

  • MD5

    44c7d18633b5741db270a6bd378b6f3c

  • SHA1

    c1d41db1662289870d9b0172c53612b8a346a0e3

  • SHA256

    258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595

  • SHA512

    008befc95068a9b50a785aa84b9d2c446344cadf097241de658c9a810b4659a82e1a8edfc8c641b9237f2253d4980fe6b0a2c861b6c7883a82349815d9a34a3d

  • SSDEEP

    6144:SOoLbiZZB2FpUJISUgJBJWR7UGRMFDLkSAGAR1LhT:cy9Z4R7iLBJAR1

Score
10/10
rhysidacredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Detect Rhysida ransomware 3 IoCs
  • Rhysida

    Rhysida is a ransomware that is written in C++ and discovered in 2023.

    ransomwarerhysida
  • Renames multiple (731) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595.exe
    "C:\Users\Admin\AppData\Local\Temp\258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\system32\cmd.exe
        cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\system32\reg.exe
          reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
          4⤵
            PID:1944
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\system32\cmd.exe
          cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Windows\system32\reg.exe
            reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
            4⤵
              PID:2524
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windows\system32\cmd.exe
            cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              4⤵
                PID:2404
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1788
            • C:\Windows\system32\cmd.exe
              cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2384
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
                4⤵
                  PID:1680
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2064
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1576
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                  • Sets desktop wallpaper using registry
                  PID:1588
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1684
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2232
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                    PID:1580
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:588
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2740
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                    4⤵
                      PID:2760
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                  2⤵
                    PID:2716
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                      3⤵
                        PID:2824
                        • C:\Windows\system32\reg.exe
                          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                          4⤵
                            PID:2764
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters
                        2⤵
                          PID:2872
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe user32.dll,UpdatePerUserSystemParameters
                            3⤵
                              PID:2644

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\CriticalBreachDetected.pdf
                          Filesize

                          36KB

                          MD5

                          b0255953ca967ad08d514f93bcfaebd8

                          SHA1

                          1b19f60f698a9731f08e07f2f74fdb952adde675

                          SHA256

                          7a00a9f4ffd1b2149deacecf85f2e8da93468f8448383352ef6713ba062e6cc5

                          SHA512

                          def4f6824f46a973aa7f109a96e69517fdaab6abb2883f50fa6045a6e51b111b75be224185183127553dac2dbd1a39b6edaf67518b0bb6699880351705d86e87

                          Download Submit

                        • C:\Users\Public\bg.jpg
                          Filesize

                          384KB

                          MD5

                          59a2a703a7cbfd58e19ec195bd92927e

                          SHA1

                          df95e24d94c13c6798aa743432d0c3f11033d4fa

                          SHA256

                          31f038578a298dfc641ba0c33f52c994de6a207ca48292b42ed0a4cac4fbe66e

                          SHA512

                          3185767b8997e8af7215cd6c6d25739bd0c4f3b853e0c86f4235adf5ef7e02e13a92210d5fa3918a8e70b750388c2af25331f05f5c05e66334ce62532e031c3e

                          Download Submit

                        • memory/2536-1425-0x0000000000400000-0x0000000000478000-memory.dmp

                          Filesize

                          480KB

                          Download

                        • memory/2536-1426-0x0000000000400000-0x0000000000478000-memory.dmp

                          Filesize

                          480KB

                          Download

                        • memory/2536-1429-0x0000000000400000-0x0000000000478000-memory.dmp

                          Filesize

                          480KB

                          Download