Edit tour
Windows
Analysis Report
Iir6rxs8r6.exe
Overview
General Information
| Sample name: | Iir6rxs8r6.exerenamed because original name is a hash value |
| Original sample name: | 3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe |
| Analysis ID: | 1524355 |
| MD5: | 2b825ea77e240d2ab6b6695a602cb07c |
| SHA1: | ae6eb3cce06f666934e03dd46269526e56aff3b1 |
| SHA256: | 3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f |
| Tags: | exeRhysidauser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
Rhysida
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Rhysida Ransomware
AI detected suspicious sample
Changes the wallpaper picture
Found API chain indicative of debugger detection
Self deletion via cmd or bat file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Ping/Del Command Combination
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Adds / modifies Windows certificates
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a Chrome extension
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic
Classification
- System is w10x64
Iir6rxs8r6.exe (PID: 4852 cmdline: "C:\Users\ user\Deskt op\Iir6rxs 8r6.exe" MD5: 2B825EA77E240D2AB6B6695A602CB07C) 
cmd.exe (PID: 2364 cmdline: C:\Windows \system32\ cmd.exe /c cmd.exe / c reg dele te "HKCU\C ontol Pane l\Desktop" /v Wallpa per /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2348 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg dele te "HKCU\C onttol Pan el\Desktop " /v Wallp aperStyle /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5972 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKCU\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Act iveDesktop " /v NoCha ngingWallP aper /t RE G_SZ /d 1 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2980 cmdline:
cmd.exe /c reg add " HKCU\Softw are\Micros oft\Window s\CurrentV ersion\Pol icies\Acti veDesktop" /v NoChan gingWallPa per /t REG _SZ /d 1 / f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 3028 cmdline:
reg add "H KCU\Softwa re\Microso ft\Windows \CurrentVe rsion\Poli cies\Activ eDesktop" /v NoChang ingWallPap er /t REG_ SZ /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 6832 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKLM\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Act iveDesktop " /v NoCha ngingWallP aper /t RE G_SZ /d 1 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1620 cmdline:
cmd.exe /c reg add " HKLM\Softw are\Micros oft\Window s\CurrentV ersion\Pol icies\Acti veDesktop" /v NoChan gingWallPa per /t REG _SZ /d 1 / f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 4216 cmdline:
reg add "H KLM\Softwa re\Microso ft\Windows \CurrentVe rsion\Poli cies\Activ eDesktop" /v NoChang ingWallPap er /t REG_ SZ /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 3168 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKCU\Cont rol Panel\ Desktop" / v Wallpape r /t REG_S Z /d "C:\U sers\Publi c\bg.jpg" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7096 cmdline:
cmd.exe /c reg add " HKCU\Contr ol Panel\D esktop" /v Wallpaper /t REG_SZ /d "C:\Us ers\Public \bg.jpg" / f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 6592 cmdline:
reg add "H KCU\Contro l Panel\De sktop" /v Wallpaper /t REG_SZ /d "C:\Use rs\Public\ bg.jpg" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 2876 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKLM\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Sys tem" /v Wa llpaper /t REG_SZ /d "C:\Users \Public\bg .jpg" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3732 cmdline:
cmd.exe /c reg add " HKLM\Softw are\Micros oft\Window s\CurrentV ersion\Pol icies\Syst em" /v Wal lpaper /t REG_SZ /d "C:\Users\ Public\bg. jpg" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 5192 cmdline:
reg add "H KLM\Softwa re\Microso ft\Windows \CurrentVe rsion\Poli cies\Syste m" /v Wall paper /t R EG_SZ /d " C:\Users\P ublic\bg.j pg" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 1164 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKLM\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Sys tem" /v Wa llpaperSty le /t REG_ SZ /d 2 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2232 cmdline:
cmd.exe /c reg add " HKLM\Softw are\Micros oft\Window s\CurrentV ersion\Pol icies\Syst em" /v Wal lpaperStyl e /t REG_S Z /d 2 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 6860 cmdline:
reg add "H KLM\Softwa re\Microso ft\Windows \CurrentVe rsion\Poli cies\Syste m" /v Wall paperStyle /t REG_SZ /d 2 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 3512 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKCU\Cont rol Panel\ Desktop" / v Wallpape rStyle /t REG_SZ /d 2 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1156 cmdline:
C:\Windows \system32\ cmd.exe /c rundll32. exe user32 .dll,Updat ePerUserSy stemParame ters MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
rundll32.exe (PID: 524 cmdline: rundll32.e xe user32. dll,Update PerUserSys temParamet ers MD5: EF3179D498793BF4234F708D3BE28633) - cmd.exe (PID: 3416 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c start po wershell.e xe -Window Style Hidd en -Comman d "Sleep - Millisecon ds 1000; s chtasks /d elete /tn Rhsd /f;" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6052 cmdline:
cmd.exe /c start pow ershell.ex e -WindowS tyle Hidde n -Command "Sleep -M illisecond s 1000; sc htasks /de lete /tn R hsd /f;" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 4064 cmdline: powershell .exe -Wind owStyle Hi dden -Comm and "Sleep -Millisec onds 1000; schtasks /delete /t n Rhsd /f; " MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2768 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4104 cmdline:
"C:\Window s\system32 \schtasks. exe" /dele te /tn Rhs d /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - cmd.exe (PID: 2496 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c start pi ng 127.0.0 .1 -n 2 > nul && del /f /q "C: \Users\use r\Desktop\ C:\Users\u ser\Deskto p\Iir6rxs8 r6.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4792 cmdline:
cmd.exe /c start pin g 127.0.0. 1 -n 2 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - PING.EXE (PID: 4832 cmdline:
ping 127.0 .0.1 -n 2 MD5: 2F46799D79D22AC72C241EC0322B011D) - conhost.exe (PID: 5444 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
Acrobat.exe (PID: 4332 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \AppData\R oaming\Mic rosoft\Win dows\Start Menu\Prog rams\Start up\Critica lBreachDet ected.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 1448 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 180 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=21 04 --field -trial-han dle=1616,i ,341358024 9765337229 ,128007270 5313980885 ,131072 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,WinUseBr owserSpell Checker /p refetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhysida | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_rhysida | Yara detected Rhysida Ransomware | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_rhysida | Yara detected Rhysida Ransomware | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Ilya Krestinichev: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 0_2_0043E021 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||