rhysida | 250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/12/2024, 10:25

Target

bad_rhy_mayb.exe
Size

1.2MB
MD5

59a9ca795b59161f767b94fc2dece71a
SHA1

b07f6a5f61834a57304ad4d885bd37d8e1badba8
SHA256

250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1
SHA512

ec59175002bd9c11c62e83aef2d1b99f883a0f71a151bee5ab1107d3f795b3e5cdd78f13348fd64eed563f6a5df5a0fef3977a8841f4ea4712ff1c2f7e18c222
SSDEEP

24576:ztP7hdO1s6Skscec1SgnyN9HPFCCNhQI6GOfaFVIVrYwcMavbiZn3m75/J2:BLO1qkscec0gnyN9HPFCCNSI6GOfaFVc

Score

10^/10

Detect Rhysida ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/2092-0-0x0000000000400000-0x0000000000523000-memory.dmp	family_rhysida

Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
ransomware rhysida
Rhysida family
rhysida

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 316	2092	bad_rhy_mayb.exe	31
PID 2092 wrote to memory of 316	2092	bad_rhy_mayb.exe	31
PID 2092 wrote to memory of 316	2092	bad_rhy_mayb.exe	31

C:\Users\Admin\AppData\Local\Temp\bad_rhy_mayb.exe
"C:\Users\Admin\AppData\Local\Temp\bad_rhy_mayb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2092 -s 72
  2⤵
  PID:316

memory/2092-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download