General
-
Target
3c3db3c02a4d04dcafdc71adb8779b787d31142ffeb9ae0e638f979594897cbf.exe
-
Size
497KB
-
Sample
241014-qym42sxhmf
-
MD5
93be893ff74816c49f2706f222789027
-
SHA1
80de2a5d57c25794a4a379f592621336465edb32
-
SHA256
3c3db3c02a4d04dcafdc71adb8779b787d31142ffeb9ae0e638f979594897cbf
-
SHA512
ce3abd5176e6d36daab4144c434e0ab51ecc7d8b7e772cfc4b0f8843684a80a167c1399e37b2524dbff3d2099e7a20d291f643fb65ff378e9e5ac9dc527499c7
-
SSDEEP
6144:6gVoyb9e9BhzGcIo6gCJv47raqMFdiksMi9agtuMf9opaiYOmDdnT:Vom47ciTt9agUG9oCOmD
Behavioral task
behavioral1
Sample
3c3db3c02a4d04dcafdc71adb8779b787d31142ffeb9ae0e638f979594897cbf.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3c3db3c02a4d04dcafdc71adb8779b787d31142ffeb9ae0e638f979594897cbf.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
3c3db3c02a4d04dcafdc71adb8779b787d31142ffeb9ae0e638f979594897cbf.exe
-
Size
497KB
-
MD5
93be893ff74816c49f2706f222789027
-
SHA1
80de2a5d57c25794a4a379f592621336465edb32
-
SHA256
3c3db3c02a4d04dcafdc71adb8779b787d31142ffeb9ae0e638f979594897cbf
-
SHA512
ce3abd5176e6d36daab4144c434e0ab51ecc7d8b7e772cfc4b0f8843684a80a167c1399e37b2524dbff3d2099e7a20d291f643fb65ff378e9e5ac9dc527499c7
-
SSDEEP
6144:6gVoyb9e9BhzGcIo6gCJv47raqMFdiksMi9agtuMf9opaiYOmDdnT:Vom47ciTt9agUG9oCOmD
-
Detect Rhysida ransomware
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Window
1Indicator Removal
4Clear Persistence
1Clear Windows Event Logs
1File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1