Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2024 17:17

General

  • Target

    a40b815afce131df6d4bc3f389cb64b742f545481119d3ecb78dda22e546a41a.exe

  • Size

    906KB

  • MD5

    6dd8c26f64df37d0c7645b63c9bba51f

  • SHA1

    9e2d705afad61509a90fd07915d3925aa4a3d997

  • SHA256

    a40b815afce131df6d4bc3f389cb64b742f545481119d3ecb78dda22e546a41a

  • SHA512

    0eb26db5752c6806f8b6f51eb7f311154c6a0a3907563b4f144fc09159996ebb014432c0ed98090356ff9fcd88d3f360d3d4ddb97d0c77cc631c8d86de3006e7

  • SSDEEP

    6144:EYdNbzC+2VEOxgtCoW0RlmQzr7cCJPBv7ameMF8DXUQa1xCSjOT:1iuCoW0RlmQzrQCBv76DXfoxCa

Malware Config

Signatures

  • Detects Rhysida ransom note 1 IoCs
  • Rhysida

    Rhysida is a ransomware that is written in C++ and discovered in 2023.

  • Renames multiple (8129) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a40b815afce131df6d4bc3f389cb64b742f545481119d3ecb78dda22e546a41a.exe
    "C:\Users\Admin\AppData\Local\Temp\a40b815afce131df6d4bc3f389cb64b742f545481119d3ecb78dda22e546a41a.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\a40b815afce131df6d4bc3f389cb64b742f545481119d3ecb78dda22e546a41a.exe"
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start ping 127.0.0.1 -n 2
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\CriticalBreachDetected.pdf

    Filesize

    111KB

    MD5

    93dc030fb16eb16f5f15afb6ce42b1fc

    SHA1

    0ace6ca808c97236dd24470b9b3925416cb55777

    SHA256

    0ba11fb0caa6a8c7b24c5d8dcfb88b2edee9310265f8e4e2c795ec3389c4b225

    SHA512

    1266b09415136ca4ef201527e110f938f50802fa2074796728d7ab0e5868cb1a670f2c2846a46c88d138e83080b7ed1f178e479dd0216bf4c84a31c80d5d078b

  • memory/1904-5730-0x0000000000400000-0x00000000004F2000-memory.dmp

    Filesize

    968KB

  • memory/1904-10368-0x0000000000400000-0x00000000004F2000-memory.dmp

    Filesize

    968KB

  • memory/1904-10369-0x0000000000400000-0x00000000004F2000-memory.dmp

    Filesize

    968KB

  • memory/1904-10370-0x0000000000400000-0x00000000004F2000-memory.dmp

    Filesize

    968KB