Overview

overview

10

Static

static

fb3f622cf5...in.exe

windows7_x64

10

fb3f622cf5...in.exe

windows10_x64

10

Analysis

  • max time kernel
    16s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    12-06-2021 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.bin.exe

  • Size

    3.3MB

  • MD5

    68bb371accb1bc914675c0ab626a9019

  • SHA1

    802a5fc4f1fdfae4a8cf99a4544c191641f9bceb

  • SHA256

    fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7

  • SHA512

    d72af358decda2f2caf1a7f1f6d83d457e0c6156753362a9ae1d3118dbb7706acff019be160028045ca2d22281fae4abf0ffdb6f27680cade0ade634e42bf84f

Score
10/10
nefilimransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\NEFILIM-HELP.txt

Ransom Note
Two things have happened to your company. ========================================================================================================================== Gigabytes of archived files that we deemed valuable or sensitive were downloaded from your network to a secure location. When you contact us we will tell you how much data was downloaded and can provide extensive proof of the data extraction. You can analyze the type of the data we download on our websites. If you do not contact us we will start leaking the data periodically in parts. ========================================================================================================================== We have also encrypted files on your computers with military grade algorithms. If you don't have extensive backups the only way to retrieve your data is with our software. Restoration of your data with our software requires a private key which only we possess. ========================================================================================================================== To confirm that our decryption software works send 2 encrypted files from random computers to us via email. You will receive further instructions after you send us the test files. We will make sure you retrieve your data swiftly and securely and your data that we downloaded will be securely deleted when our demands are met. If we do not come to an agreement your data will be leaked on this website. Website: http://corpleaks.net TOR link: http://hxt254aygrsziejn.onion Mail list: [email protected] [email protected] [email protected]
URLs

http://corpleaks.net

http://hxt254aygrsziejn.onion

Signatures

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    ransomwarenefilim
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini
    MD5

    53c5929e3e50b4d25cfa3cf25e673a87

    SHA1

    dbb4319effa8f03925ee4c1c36a3c5e6fac7b5ec

    SHA256

    00c37fdab8b65a92c65bafb3bb73bed08a89d4314bc2af1bedaf70dc4290ddba

    SHA512

    0f5963fe48d85ed825a73c032748327c52ba5e7fde5d29a64ba7ac350fe7f5799278eab2e6cbadc748a84e92ca3805911c075d415835d0f42197feebd125a2c3

    Download Submit