nefilim | 2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c

General

Target

2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
Size

3.3MB
MD5

1341f07df1c2c4841f1b0dc6641676f7
SHA1

9aedf3b45bb430358aefb81fb15ea93387d47436
SHA256

2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c
SHA512

eab98a1a6632ce3cd940e219c218ec9704469aafe9bf5817a5397351cdf18a25dc69544d7051b416f46e4a1da74c3ef39f6a9750181084f522f9c876a54a0626

Score

10^/10

nefilim ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\NEFILIM-HELP.txt

Ransom Note

Two things have happened to your company. ========================================================================================================================== Gigabytes of archived files that we deemed valuable or sensitive were downloaded from your network to a secure location. When you contact us we will tell you how much data was downloaded and can provide extensive proof of the data extraction. You can analyze the type of the data we download on our websites. If you do not contact us we will start leaking the data periodically in parts. ========================================================================================================================== We have also encrypted files on your computers with military grade algorithms. If you don't have extensive backups the only way to retrieve your data is with our software. Restoration of your data with our software requires a private key which only we possess. ========================================================================================================================== To confirm that our decryption software works send 2 encrypted files from random computers to us via email. You will receive further instructions after you send us the test files. We will make sure you retrieve your data swiftly and securely and your data that we downloaded will be securely deleted when our demands are met. If we do not come to an agreement your data will be leaked on this website. Website: http://corpleaks.net TOR link: http://hxt254aygrsziejn.onion Mail list: [email protected] [email protected] [email protected]

Emails

[email protected]

URLs

http://corpleaks.net

http://hxt254aygrsziejn.onion

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\LimitUnregister.png => C:\Users\Admin\Pictures\LimitUnregister.png.NEFILIM	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File renamed	C:\Users\Admin\Pictures\PingGet.tif => C:\Users\Admin\Pictures\PingGet.tif.NEFILIM	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File renamed	C:\Users\Admin\Pictures\StartSend.png => C:\Users\Admin\Pictures\StartSend.png.NEFILIM	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Pictures\TraceMove.tiff	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File renamed	C:\Users\Admin\Pictures\TraceMove.tiff => C:\Users\Admin\Pictures\TraceMove.tiff.NEFILIM	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe

C:\Users\Admin\AppData\Local\Temp\2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2d4b2b807ace9dfc3f13962c65f1b6b9b6ba80394c517729ada50d6302792d9c.bin.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini

MD5
f6d3bb9555ff6a624c38052c63fcdd7f

SHA1
1a023c2a1aab52abb1c46d48769b040296ae68e6

SHA256
f9faa6fe99d7937b455b2db321c12f6a6bb663512b5bb516b62dac696c740982

SHA512
b0045f6de8e79e7c793d1e6e12f16a12501144452ed97b444bcb27025f8401f338dd00999941a2a68da33a78090f899bc0f8a3b594aa77a4f19f9c0c6e28b6ee

Download Submit

Analysis

Sharing