Overview

overview

10

Static

static

10

08c7dfde13...in.exe

windows7_x64

10

08c7dfde13...in.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    56s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    27-07-2020 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641.bin.exe

  • Size

    65KB

  • MD5

    5ff20e2b723edb2d0fb27df4fc2c4468

  • SHA1

    e53d4b589f5c5ef6afd23299550f70c69bc2fe1c

  • SHA256

    08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641

  • SHA512

    cbcb5bda77351902d149608b4df5637347bcd06f26fba83147c4de42b52ae675e3a0761691c19cb0cadc5b03f32cd0810951ba23cf21ebe266f1ec724ffee996

Score
10/10
ransomwarenefilim

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Signatures

  • Suspicious use of WriteProcessMemory 6 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    ransomwarenefilim
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Modifies extensions of user files
    PID:3228
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641.bin.exe" /s /f /q
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:4084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2696-1-0x0000000000000000-mapping.dmp

    Download

  • memory/3228-0-0x0000000001410000-0x0000000001494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4084-2-0x0000000000000000-mapping.dmp

    Download