Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
02/12/2024, 10:27
241202-mg4hxswqbl 1002/12/2024, 10:25
241202-mgevka1jfx 1002/12/2024, 10:24
241202-mfqkns1jdy 1023/06/2023, 02:54
230623-dd7xhabd82 3Analysis
-
max time kernel
46s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2024, 10:27
Behavioral task
behavioral1
Sample
bad_rhy_mayb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bad_rhy_mayb.exe
Resource
win10v2004-20241007-en
General
-
Target
bad_rhy_mayb.exe
-
Size
1.2MB
-
MD5
59a9ca795b59161f767b94fc2dece71a
-
SHA1
b07f6a5f61834a57304ad4d885bd37d8e1badba8
-
SHA256
250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1
-
SHA512
ec59175002bd9c11c62e83aef2d1b99f883a0f71a151bee5ab1107d3f795b3e5cdd78f13348fd64eed563f6a5df5a0fef3977a8841f4ea4712ff1c2f7e18c222
-
SSDEEP
24576:ztP7hdO1s6Skscec1SgnyN9HPFCCNhQI6GOfaFVIVrYwcMavbiZn3m75/J2:BLO1qkscec0gnyN9HPFCCNSI6GOfaFVc
Malware Config
Signatures
-
Detect Rhysida ransomware 2 IoCs
resource yara_rule behavioral2/memory/4744-0-0x0000000000400000-0x0000000000523000-memory.dmp family_rhysida behavioral2/memory/3936-20-0x0000000000400000-0x0000000000523000-memory.dmp family_rhysida -
Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
-
Rhysida family
-
pid Process 3532 PowerShell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3532 PowerShell.exe 3532 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3532 PowerShell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3532 wrote to memory of 3936 3532 PowerShell.exe 101 PID 3532 wrote to memory of 3936 3532 PowerShell.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\bad_rhy_mayb.exe"C:\Users\Admin\AppData\Local\Temp\bad_rhy_mayb.exe"1⤵PID:4744
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4324
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\bad_rhy_mayb.exe"C:\Users\Admin\AppData\Local\Temp\bad_rhy_mayb.exe"2⤵PID:3936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82