General
-
Target
0bb0e1fcff8ccf54c6f9ecfd4bbb6757f6a25cb0e7a173d12cf0f402a3ae706f.exe
-
Size
421KB
-
Sample
250412-qya5gsvrz8
-
MD5
c9a5e675dbb1f0ce61623f24757a1c72
-
SHA1
560a64721d5a647ffae76febdb6f99bf356dae79
-
SHA256
0bb0e1fcff8ccf54c6f9ecfd4bbb6757f6a25cb0e7a173d12cf0f402a3ae706f
-
SHA512
7471ece9435f9b053c3c109a1692448604bb46428583a0276dd44ec2c0f722b78e08829d15a92a6d5d67d757af302c653778290f3a375ac01dda98093cb1a7a2
-
SSDEEP
6144:pzOu5u9brOPsosD5w/8+EeIJ/P7xJrMFKIkNEcT3gVv3PmT:3DMTPpP7/IkEw8X
Malware Config
Targets
-
-
Target
0bb0e1fcff8ccf54c6f9ecfd4bbb6757f6a25cb0e7a173d12cf0f402a3ae706f.exe
-
Size
421KB
-
MD5
c9a5e675dbb1f0ce61623f24757a1c72
-
SHA1
560a64721d5a647ffae76febdb6f99bf356dae79
-
SHA256
0bb0e1fcff8ccf54c6f9ecfd4bbb6757f6a25cb0e7a173d12cf0f402a3ae706f
-
SHA512
7471ece9435f9b053c3c109a1692448604bb46428583a0276dd44ec2c0f722b78e08829d15a92a6d5d67d757af302c653778290f3a375ac01dda98093cb1a7a2
-
SSDEEP
6144:pzOu5u9brOPsosD5w/8+EeIJ/P7xJrMFKIkNEcT3gVv3PmT:3DMTPpP7/IkEw8X
Score10/10-
Detect Rhysida ransomware
-
Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
-
Rhysida family
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9597) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Window
1Indicator Removal
4Clear Persistence
1Clear Windows Event Logs
1File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1