Overview

overview

10

Static

static

10

5ab834f599...c6.exe

windows7_x64

10

5ab834f599...c6.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4699462964641792.zip

  • Size

    31KB

  • Sample

    201112-ws7p3ht3an

  • MD5

    f86bc4d1c11a104ec3c305ce5ea8278f

  • SHA1

    d9b1a57189493920d4735b4d03dbac475b8c1915

  • SHA256

    dea93a0cf6e55dcfd1a4b9c10324b0b4edea974cc60878296601e6dc9f16c166

  • SHA512

    97b5234052e06b134eaa86ea5e534b1cd16edb69b03bd0909236c87edc044050274102c4165d9c7c6fc591c252bccbb32c251a670b68cb4c03ee0e3d71768c11

Score
10/10
nefilimransomwareupx

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Targets

    • Target

      5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6

    • Size

      35KB

    • MD5

      70e4b9b7a83473687e5784489d556c87

    • SHA1

      1f594456d88591d3a88e1cdd4e93c6c4e59b746c

    • SHA256

      5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6

    • SHA512

      89878d4a72521a9742fe671979065ea210f7c78975040c28c0c5ec4733d90680d71b45bfe5582baf6e4bc62850777b1b2a68ad8e2dcaf95edc19544622855d2c

    Score
    10/10
    nefilimransomware

    • Nefilim

      Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

      ransomwarenefilim

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks