General
-
Target
f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50.exe
-
Size
497KB
-
Sample
241003-cs1laszcmq
-
MD5
ddaa09b5c3bf5aa24e300c24905469f2
-
SHA1
ebedfbe0a696bd87c4e2d27e3448a61f02bab021
-
SHA256
f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50
-
SHA512
a1826d23ef54d75bdee465727f1609a12407923fdf951124f968ab204e92da079a73e71292f2eddb7f2187c169b422bb720df6cb185b8ca26111b324fd555db0
-
SSDEEP
6144:yFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:/qnTp7N78Y5e5gUG9o/
Behavioral task
behavioral1
Sample
f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50.exe
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50.exe
-
Size
497KB
-
MD5
ddaa09b5c3bf5aa24e300c24905469f2
-
SHA1
ebedfbe0a696bd87c4e2d27e3448a61f02bab021
-
SHA256
f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50
-
SHA512
a1826d23ef54d75bdee465727f1609a12407923fdf951124f968ab204e92da079a73e71292f2eddb7f2187c169b422bb720df6cb185b8ca26111b324fd555db0
-
SSDEEP
6144:yFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:/qnTp7N78Y5e5gUG9o/
-
Detect Rhysida ransomware
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8127) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Window
1Indicator Removal
4Clear Persistence
1Clear Windows Event Logs
1File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1