Overview

overview

10

Static

static

fb3f622cf5...in.exe

windows7_x64

10

fb3f622cf5...in.exe

windows10_x64

10

Analysis

  • max time kernel
    12s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-06-2021 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.bin.exe

  • Size

    3.3MB

  • MD5

    68bb371accb1bc914675c0ab626a9019

  • SHA1

    802a5fc4f1fdfae4a8cf99a4544c191641f9bceb

  • SHA256

    fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7

  • SHA512

    d72af358decda2f2caf1a7f1f6d83d457e0c6156753362a9ae1d3118dbb7706acff019be160028045ca2d22281fae4abf0ffdb6f27680cade0ade634e42bf84f

Score
10/10
nefilimransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\NEFILIM-HELP.txt

Ransom Note
Two things have happened to your company. ========================================================================================================================== Gigabytes of archived files that we deemed valuable or sensitive were downloaded from your network to a secure location. When you contact us we will tell you how much data was downloaded and can provide extensive proof of the data extraction. You can analyze the type of the data we download on our websites. If you do not contact us we will start leaking the data periodically in parts. ========================================================================================================================== We have also encrypted files on your computers with military grade algorithms. If you don't have extensive backups the only way to retrieve your data is with our software. Restoration of your data with our software requires a private key which only we possess. ========================================================================================================================== To confirm that our decryption software works send 2 encrypted files from random computers to us via email. You will receive further instructions after you send us the test files. We will make sure you retrieve your data swiftly and securely and your data that we downloaded will be securely deleted when our demands are met. If we do not come to an agreement your data will be leaked on this website. Website: http://corpleaks.net TOR link: http://hxt254aygrsziejn.onion Mail list: [email protected] [email protected] [email protected]
URLs

http://corpleaks.net

http://hxt254aygrsziejn.onion

Signatures

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    ransomwarenefilim
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini
    MD5

    b9806c4d5930c5485508962232f3da4a

    SHA1

    247a211a5cb92405116d95ceae0cb4af3b421a6b

    SHA256

    499d361b8c4562bff3596e7a85548557112bc6f1ba740745bf92cc4b1dc41f52

    SHA512

    41c20c9c32a74b38589145052c681ee490d8250b498ef32aeeb8db888aa589688cd59eb76cbc668c638d8f3d8921ca67a10085e6c9e228f81cb1133496718108

    Download Submit