Edit tour
Windows
Analysis Report
JIar3KCVf6.exe
Overview
General Information
| Sample name: | JIar3KCVf6.exerenamed because original name is a hash value |
| Original sample name: | 9097ab2b2b71f3ea0cf8c9271224b6227e9aa2545ae23d4621f122bdb99c77b8.exe |
| Analysis ID: | 1524364 |
| MD5: | 54416fc42afa9b09ea7e8d8e318f4891 |
| SHA1: | 8c924431049191e763a14503517a9583f070fdeb |
| SHA256: | 9097ab2b2b71f3ea0cf8c9271224b6227e9aa2545ae23d4621f122bdb99c77b8 |
| Tags: | exeRhysidauser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
Rhysida
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Rhysida Ransomware
AI detected suspicious sample
Changes the wallpaper picture
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Stores files to the Windows start menu directory
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
JIar3KCVf6.exe (PID: 3536 cmdline: "C:\Users\ user\Deskt op\JIar3KC Vf6.exe" MD5: 54416FC42AFA9B09EA7E8D8E318F4891) 
conhost.exe (PID: 1136 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6784 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg dele te "HKCU\C onttol Pan el\Desktop " /v Wallp aper /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 4608 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg dele te "HKCU\C onttol Pan el\Desktop " /v Wallp aperStyle /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 2840 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKCU\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Act iveDesktop " /v NoCha ngingWallP aper /t RE G_SZ /d 1 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 6852 cmdline:
cmd.exe /c reg add " HKCU\Softw are\Micros oft\Window s\CurrentV ersion\Pol icies\Acti veDesktop" /v NoChan gingWallPa per /t REG _SZ /d 1 / f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 940 cmdline:
reg add "H KCU\Softwa re\Microso ft\Windows \CurrentVe rsion\Poli cies\Activ eDesktop" /v NoChang ingWallPap er /t REG_ SZ /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 6212 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKLM\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Act iveDesktop " /v NoCha ngingWallP aper /t RE G_SZ /d 1 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 6044 cmdline:
cmd.exe /c reg add " HKLM\Softw are\Micros oft\Window s\CurrentV ersion\Pol icies\Acti veDesktop" /v NoChan gingWallPa per /t REG _SZ /d 1 / f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 6048 cmdline:
reg add "H KLM\Softwa re\Microso ft\Windows \CurrentVe rsion\Poli cies\Activ eDesktop" /v NoChang ingWallPap er /t REG_ SZ /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 5636 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKCU\Cont rol Panel\ Desktop" / v Wallpape r /t REG_S Z /d "C:\U sers\Publi c\bg.jpg" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 5408 cmdline:
cmd.exe /c reg add " HKCU\Contr ol Panel\D esktop" /v Wallpaper /t REG_SZ /d "C:\Us ers\Public \bg.jpg" / f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 616 cmdline:
reg add "H KCU\Contro l Panel\De sktop" /v Wallpaper /t REG_SZ /d "C:\Use rs\Public\ bg.jpg" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 2688 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKLM\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Sys tem" /v Wa llpaper /t REG_SZ /d "C:\Users \Public\bg .jpg" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 1880 cmdline:
cmd.exe /c reg add " HKLM\Softw are\Micros oft\Window s\CurrentV ersion\Pol icies\Syst em" /v Wal lpaper /t REG_SZ /d "C:\Users\ Public\bg. jpg" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 964 cmdline:
reg add "H KLM\Softwa re\Microso ft\Windows \CurrentVe rsion\Poli cies\Syste m" /v Wall paper /t R EG_SZ /d " C:\Users\P ublic\bg.j pg" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 1908 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKLM\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Sys tem" /v Wa llpaperSty le /t REG_ SZ /d 2 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 3492 cmdline:
cmd.exe /c reg add " HKLM\Softw are\Micros oft\Window s\CurrentV ersion\Pol icies\Syst em" /v Wal lpaperStyl e /t REG_S Z /d 2 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - reg.exe (PID: 1864 cmdline:
reg add "H KLM\Softwa re\Microso ft\Windows \CurrentVe rsion\Poli cies\Syste m" /v Wall paperStyle /t REG_SZ /d 2 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 6232 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c reg add "HKCU\Cont rol Panel\ Desktop" / v Wallpape rStyle /t REG_SZ /d 2 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 1416 cmdline:
C:\Windows \system32\ cmd.exe /c rundll32. exe user32 .dll,Updat ePerUserSy stemParame ters MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 1224 cmdline: rundll32.e xe user32. dll,Update PerUserSys temParamet ers MD5: EF3179D498793BF4234F708D3BE28633) - cmd.exe (PID: 5260 cmdline:
C:\Windows \system32\ cmd.exe /c cmd.exe / c start po wershell.e xe -Window Style Hidd en -Comman d Sleep -M illisecond s 500; Rem ove-Item - Force -Pat h "C:\User s\user\Des ktop\C:\Us ers\user\D esktop\JIa r3KCVf6.ex e" -ErrorA ction Sile ntlyContin ue; MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 6712 cmdline:
cmd.exe /c start pow ershell.ex e -WindowS tyle Hidde n -Command Sleep -Mi lliseconds 500; Remo ve-Item -F orce -Path "C:\Users \user\Desk top\C:\Use rs\user\De sktop\JIar 3KCVf6.exe " -ErrorAc tion Silen tlyContinu e; MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 1492 cmdline: powershell .exe -Wind owStyle Hi dden -Comm and Sleep -Milliseco nds 500; R emove-Item -Force -P ath "C:\Us ers\user\D esktop\C:\ Users\user \Desktop\J Iar3KCVf6. exe" -Erro rAction Si lentlyCont inue; MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhysida | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_rhysida | Yara detected Rhysida Ransomware | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_rhysida | Yara detected Rhysida Ransomware | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_rhysida | Yara detected Rhysida Ransomware | Joe Security |
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||