Overview

overview

10

Static

static

10

258ddd7865...95.exe

windows7-x64

10

258ddd7865...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595.exe

  • Size

    418KB

  • MD5

    44c7d18633b5741db270a6bd378b6f3c

  • SHA1

    c1d41db1662289870d9b0172c53612b8a346a0e3

  • SHA256

    258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595

  • SHA512

    008befc95068a9b50a785aa84b9d2c446344cadf097241de658c9a810b4659a82e1a8edfc8c641b9237f2253d4980fe6b0a2c861b6c7883a82349815d9a34a3d

  • SSDEEP

    6144:SOoLbiZZB2FpUJISUgJBJWR7UGRMFDLkSAGAR1LhT:cy9Z4R7iLBJAR1

Score
10/10
rhysidacredential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Detect Rhysida ransomware 3 IoCs
  • Rhysida

    Rhysida is a ransomware that is written in C++ and discovered in 2023.

    ransomwarerhysida
  • Renames multiple (692) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595.exe
    "C:\Users\Admin\AppData\Local\Temp\258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\system32\cmd.exe
        cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\system32\reg.exe
          reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
          4⤵
            PID:696
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\system32\cmd.exe
          cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\system32\reg.exe
            reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
            4⤵
              PID:1136
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Windows\system32\cmd.exe
            cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2220
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              4⤵
                PID:2880
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:444
            • C:\Windows\system32\cmd.exe
              cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2160
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
                4⤵
                  PID:2164
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2300
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1344
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                  • Sets desktop wallpaper using registry
                  PID:2308
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:704
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1288
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                    PID:1544
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:976
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:932
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                    4⤵
                      PID:1360
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                  2⤵
                    PID:1700
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                      3⤵
                        PID:2152
                        • C:\Windows\system32\reg.exe
                          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                          4⤵
                            PID:964
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters
                        2⤵
                          PID:1936
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe user32.dll,UpdatePerUserSystemParameters
                            3⤵
                              PID:788

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\CriticalBreachDetected.pdf
                          Filesize

                          36KB

                          MD5

                          b0255953ca967ad08d514f93bcfaebd8

                          SHA1

                          1b19f60f698a9731f08e07f2f74fdb952adde675

                          SHA256

                          7a00a9f4ffd1b2149deacecf85f2e8da93468f8448383352ef6713ba062e6cc5

                          SHA512

                          def4f6824f46a973aa7f109a96e69517fdaab6abb2883f50fa6045a6e51b111b75be224185183127553dac2dbd1a39b6edaf67518b0bb6699880351705d86e87

                          Download Submit

                        • memory/2080-1379-0x0000000000400000-0x0000000000478000-memory.dmp

                          Filesize

                          480KB

                          Download

                        • memory/2080-1380-0x0000000000400000-0x0000000000478000-memory.dmp

                          Filesize

                          480KB

                          Download

                        • memory/2080-1382-0x0000000000400000-0x0000000000478000-memory.dmp

                          Filesize

                          480KB

                          Download