Date: 08/20/2024
Severity: Medium
Summary
"Rorschach Ransomware Execution Activity" refers to the actions and behaviors exhibited by the Rorschach ransomware during its execution on an infected system. This ransomware, known for its encryption capabilities and demanding ransoms, typically engages in various activities to encrypt files, spread across networks, and establish persistence. Key execution activities may include modifying system settings, creating ransom notes, encrypting user files, and communicating with command-and-control servers. Understanding these activities helps in detecting, mitigating, and responding to Rorschach ransomware attacks effectively.
Indicators of Compromise (IOC) List
Image | '\bcdedit.exe' '\net.exe' '\net1.exe' '\netsh.exe' '\wevtutil.exe' '\vssadmin.exe' |
CommandLine | '11111111' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (((Resourcename in ("Sysmon") AND eventtype = "1") AND image in ("\bcdedit.exe","\net.exe","\net1.exe","\netsh.exe","\wevtutil.exe","\vssadmin.exe")) AND commandline in ("11111111")) |
Detection Query 2 | (((Technologygroup = "EDR" ) AND image in ("\bcdedit.exe","\net.exe","\net1.exe","\netsh.exe","\wevtutil.exe","\vssadmin.exe")) AND commandline in ("11111111")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml