General

  • Target

    f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50.exe

  • Size

    497KB

  • Sample

    241003-cs1laszcmq

  • MD5

    ddaa09b5c3bf5aa24e300c24905469f2

  • SHA1

    ebedfbe0a696bd87c4e2d27e3448a61f02bab021

  • SHA256

    f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50

  • SHA512

    a1826d23ef54d75bdee465727f1609a12407923fdf951124f968ab204e92da079a73e71292f2eddb7f2187c169b422bb720df6cb185b8ca26111b324fd555db0

  • SSDEEP

    6144:yFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:/qnTp7N78Y5e5gUG9o/

Malware Config

Targets

    • Target

      f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50.exe

    • Size

      497KB

    • MD5

      ddaa09b5c3bf5aa24e300c24905469f2

    • SHA1

      ebedfbe0a696bd87c4e2d27e3448a61f02bab021

    • SHA256

      f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50

    • SHA512

      a1826d23ef54d75bdee465727f1609a12407923fdf951124f968ab204e92da079a73e71292f2eddb7f2187c169b422bb720df6cb185b8ca26111b324fd555db0

    • SSDEEP

      6144:yFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:/qnTp7N78Y5e5gUG9o/

    • Detect Rhysida ransomware

    • Rhysida

      Rhysida is a ransomware that is written in C++ and discovered in 2023.

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (8127) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks