General
-
Target
2025-04-21_73917ce4037829175bb0330433e79c2b_elex_neshta_rhysida
-
Size
462KB
-
Sample
250421-mtxk5s1vhx
-
MD5
73917ce4037829175bb0330433e79c2b
-
SHA1
200214a9cfc1072bc8e7e96b2adc066d15ff26bc
-
SHA256
86e75af22f702ba1aaa545708e04cb54468a388e899e259510af9c95b34d80cc
-
SHA512
c6f774e042706424ae328f0419ab63e7710c31796d167bc44467bc57ffcd0f27116bda245f9c6bf7fe82b50d2d18ab3375eda027861b8091978849c3a9e83b99
-
SSDEEP
6144:k9EsosD5w/8+EeIJ/P7xJrMFKIkNEcT3gVv3PmTAzOu5u9brOg:5MTPpP7/IkEw8XnI
Malware Config
Targets
-
-
Target
2025-04-21_73917ce4037829175bb0330433e79c2b_elex_neshta_rhysida
-
Size
462KB
-
MD5
73917ce4037829175bb0330433e79c2b
-
SHA1
200214a9cfc1072bc8e7e96b2adc066d15ff26bc
-
SHA256
86e75af22f702ba1aaa545708e04cb54468a388e899e259510af9c95b34d80cc
-
SHA512
c6f774e042706424ae328f0419ab63e7710c31796d167bc44467bc57ffcd0f27116bda245f9c6bf7fe82b50d2d18ab3375eda027861b8091978849c3a9e83b99
-
SSDEEP
6144:k9EsosD5w/8+EeIJ/P7xJrMFKIkNEcT3gVv3PmTAzOu5u9brOg:5MTPpP7/IkEw8XnI
Score10/10-
Detect Neshta payload
-
Detect Rhysida ransomware
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
-
Rhysida family
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9594) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Persistence
Event Triggered Execution
1Change Default File Association
1Power Settings
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Window
1Indicator Removal
4Clear Persistence
1Clear Windows Event Logs
1File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1