Analysis
-
max time kernel
934s -
max time network
654s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
25/03/2025, 21:10
General
-
Target
3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe
-
Size
421KB
-
MD5
2b825ea77e240d2ab6b6695a602cb07c
-
SHA1
ae6eb3cce06f666934e03dd46269526e56aff3b1
-
SHA256
3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f
-
SHA512
f2029aec439f4727e96436390027e100df521cd6557797a17d50f82335487b2a91ddc04dbd18fb8df96b3deea776ecf429321a55401b7739b1b4979b58db7e39
-
SSDEEP
6144:/u+2b7RNhPmrpQRF/2lfhOJoe7NzgMFgTkoQj6RgLaDMT:nGyRe7STng6KaD
Malware Config
Signatures
-
Detect Rhysida ransomware 3 IoCs
-
Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
-
Rhysida family
-
Renames multiple (2619) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Indicator Removal: Clear Persistence 1 TTPs 2 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Drops file in System32 directory 11 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 21 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe"C:\Users\Admin\AppData\Local\Temp\3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f4⤵
- Sets desktop wallpaper using registry
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,UpdatePerUserSystemParameters3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"2⤵
- Hide Artifacts: Hidden Window
- Indicator Removal: Clear Persistence
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"3⤵
- Hide Artifacts: Hidden Window
- Indicator Removal: Clear Persistence
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f5⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c start ping 127.0.0.1 -n 23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Public\bg.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dashost.exedashost.exe {81a0eebd-4962-4167-bd617a72906e4ba5}2⤵
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Public\bg.jpg"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Public\bg.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe"1⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe -v2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /?2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query USO_UxBroker2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /tn USO_UxBroker2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /tn:USO_UxBroker2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Window
1Indicator Removal
1Clear Persistence
1Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
477B
MD52dec61ac28917a14a7be42d9dae2e3cf
SHA1dc77df0be664ae82de2ba67d0c6d039958a9bbb0
SHA25618a2a0afea6475d9b833cb0abda2a0ccc32bffff98bee5d16023dfc87b3b7a0a
SHA51261bd09e183f351cf1456c39d164c2f2060587b59d90067affa4370b650a2ca495fb960e8356cf416972b289fb34c84424060f8b14d0c2b8591f19a5b28035f1b
-
Filesize
237B
MD531bac31cc716047e56e4e6f505ae75b4
SHA1a4d96eaf3863b752bfd30254818acc0f11d11c48
SHA2565cad81f62481defe14b7af068fc59b83157c2417efc1eb33e5b4b60fc461c6cf
SHA512e01e01c1453a4c049ab192ba68f6be0b12da6f1b868559b3cba2f8c178dc40db1b911a077c2f6fa25584053e16f009ca26a0901084598467e53504004701249e
-
Filesize
242B
MD5770fe3a45b643c068f120b0a2b7b1254
SHA1f68244768f39e5727d972abaf34dadd524b10116
SHA2566048c6a46ed66699b0c667efac5c7db7f7b6fd564c0690c0e5049b379c7e64b5
SHA5126d7f0aa584912f3a35d4e61e3198b3f56d2256a4b4ac7e7adced8f1e860deff95ae754243aeab452798c6a297c18be138651a93c0a0fa8464b4981cc1e00337e
-
Filesize
236B
MD50cb5fb354a2165c3d5fb19b7cd46b3b5
SHA1ba4a249dbe131f71ff28cfd2d701c186fe6c585a
SHA256630f98a1c1bb985aae5b7acac5afad9c699670d8567cf2a208cddaef480a4581
SHA512320b10e61ae44c47cbea135c28ce528f75af2396f71410be4400ba0a72135784512b9589efc4ed4ff5f3626e877ea7e6fee7103a97948adae099f79544644b5d
-
Filesize
236B
MD563254b896498552b33143561333d44b8
SHA1672124df322836ef37eeca12344ed2a46202ad25
SHA25635f3dcb98c24f82cd95ed0f35a79e4370d896bb00203008be7efa7862230de47
SHA5120283a1f2251c64ed0c1e182e43ac734518ecc9d4b6432fd0b022901a3c8e0a8f97e2e5ec84c6f7f6f0a635ecfe6f5fe7dc7723a4f2308c93bb87c05daada81ef
-
Filesize
909B
MD5a7cb3b83789dd3f8376215f2b023b037
SHA12a3ca5e8655258931bef48c3cc21d319231d8954
SHA25648f278bbed6221e2634b7685f5dab22aa2c6e6898fe5e2515006a0ff811935b0
SHA5120f67aacdf16af179325dc30e7d9a4c45c14deb7db7f7b1a1bec65b314f15d40a5e2d15e8f428a9809a54981bf40379214a0b80375235edb2978242220e8923d9
-
Filesize
309B
MD5f00d3706bde8b94af1bfdc227e8906df
SHA138533839a055a614b2fd5d4f38c1d1e01126e06a
SHA2560404504fc8e3c8af4eeb793a318457a26fbce47013cf1a0b7221f9ec24f78ad7
SHA5126907c4a737e4d9e0fe248710bf6f7e7fbbd70dc66a4b777a6f906e09f10bb1e45bbfb50a0475a8a00ce3c1ee4b6b233e5b4432dabe0272650a429203af5556dc
-
Filesize
749B
MD52006f6b557549bc080e9f1362788b030
SHA190165c0d5c9ed4eccd3400040f4a50770fecb745
SHA25656e966444fe175cf8ebf75069bd5a45a355dcbc50d96317b97e17c33cf072f8d
SHA51202a906ae0f1eedb158f1099bb6809eed57e8943d1e4043b99c25fef68e5696ff0aea150202b22f7d02a76847bce437bb15852992362514892b1964dc1984fb8f
-
Filesize
2KB
MD5f4e4a03ebd0ab3a953c56a300d61d223
SHA197a9acf22c3bdd6989d7c120c21077c4d5a9a80e
SHA25652bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc
SHA51212aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
35KB
MD538c9c6953f1fcb83b1e6e04825f3b4db
SHA15af8caf42b0ab98349c5806f5b22d4402a343de7
SHA256dfd0bd7b4e4f84287ab4b19bb77d5308eb29e12e8724f04cb8c2fc6d4fb66d62
SHA5126ba08b5ff206a5bb53c60e62dac872e6473aa419ffed5c09c1cdbb18f1dde7b2ec268df8abc3080fe484a4f0a32d8fec922f65e959f0dbd91fb8a4272e492ed1
-
Filesize
385KB
MD5f7532cd65e297463c9321eff8d3118cd
SHA1f191a4bad27882731287ced00d8f80734c6b765e
SHA256b39b52c14265b5ecd00df61341bbb3b1248d716a230d2f9d5bfcf0529b675074
SHA512f888124e7e900e6fcf3bace46e835d4d9c9d7ead742019661b38e59e27479e2cd45f8f1acf42178913387aef20e15e07d31209cf1da6775b3e8693bb73ccb3fa
-
Filesize
8KB
MD56bdaa6313d98c6692ba2c37976a3ccf9
SHA1475389123a2656eb5a7ebbb79ae5f1316f9f16e3
SHA25640728add632707ff8363750150cd9e79aacd492c20d3487a23e27d8c970d768a
SHA512554cac16cd58944aa8c0e9fed3e420d5f9c012cd0f14dfd1f96617cdd4246f45cef78e4e7a36772915a3d454ae0c703fa0fc608b2e5be56cdb05998932de1f94
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
