Overview

overview

10

Static

static

10

2024-11-21...da.exe

windows7-x64

10

2024-11-21...da.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida

  • Size

    497KB

  • Sample

    241121-b6c7gsslfj

  • MD5

    ddaa09b5c3bf5aa24e300c24905469f2

  • SHA1

    ebedfbe0a696bd87c4e2d27e3448a61f02bab021

  • SHA256

    f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50

  • SHA512

    a1826d23ef54d75bdee465727f1609a12407923fdf951124f968ab204e92da079a73e71292f2eddb7f2187c169b422bb720df6cb185b8ca26111b324fd555db0

  • SSDEEP

    6144:yFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:/qnTp7N78Y5e5gUG9o/

Score
10/10
rhysidacredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida

    • Size

      497KB

    • MD5

      ddaa09b5c3bf5aa24e300c24905469f2

    • SHA1

      ebedfbe0a696bd87c4e2d27e3448a61f02bab021

    • SHA256

      f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50

    • SHA512

      a1826d23ef54d75bdee465727f1609a12407923fdf951124f968ab204e92da079a73e71292f2eddb7f2187c169b422bb720df6cb185b8ca26111b324fd555db0

    • SSDEEP

      6144:yFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:/qnTp7N78Y5e5gUG9o/

    Score
    10/10
    rhysidacredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

    • Detect Rhysida ransomware

    • Rhysida

      Rhysida is a ransomware that is written in C++ and discovered in 2023.

      ransomwarerhysida

    • Rhysida family

      rhysida

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (8113) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Power Settings

1
T1653

Privilege Escalation

Defense Evasion

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Window

1
T1564.003

Indicator Removal

4
T1070

Clear Persistence

1
T1070.009

Clear Windows Event Logs

1
T1070.001

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.