General
-
Target
06c1428e1a41c30b80a60b5b136d7cb4a8ffb2f4361919ef7f72a6babb223dd3.sample
-
Size
199KB
-
Sample
210726-3jlzdh6tmj
-
MD5
9f39c185c3cb3ea935d829d5280633eb
-
SHA1
70b067106ac7a336f68c3d4317fec402c718ce7d
-
SHA256
06c1428e1a41c30b80a60b5b136d7cb4a8ffb2f4361919ef7f72a6babb223dd3
-
SHA512
f70768c093b9fd8a6bb58f882b2a57e3c15f7c54b5eccc424730579cc700be8479ac47fa5cb773a25b5476ba5ce1f4b9ad2e7e6b8356e8e2e04270ca5aad1557
Static task
static1
Behavioral task
behavioral1
Sample
06c1428e1a41c30b80a60b5b136d7cb4a8ffb2f4361919ef7f72a6babb223dd3.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
06c1428e1a41c30b80a60b5b136d7cb4a8ffb2f4361919ef7f72a6babb223dd3.sample.exe
Resource
win10v20210410
Malware Config
Extracted
C:\NEMTY_5BGFY7F-DECRYPT.txt
nemty
http://nemty.top/public/pay.php
http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
Extracted
C:\NEMTY_LZHHLEO-DECRYPT.txt
nemty
http://nemty.top/public/pay.php
http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
Targets
-
-
Target
06c1428e1a41c30b80a60b5b136d7cb4a8ffb2f4361919ef7f72a6babb223dd3.sample
-
Size
199KB
-
MD5
9f39c185c3cb3ea935d829d5280633eb
-
SHA1
70b067106ac7a336f68c3d4317fec402c718ce7d
-
SHA256
06c1428e1a41c30b80a60b5b136d7cb4a8ffb2f4361919ef7f72a6babb223dd3
-
SHA512
f70768c093b9fd8a6bb58f882b2a57e3c15f7c54b5eccc424730579cc700be8479ac47fa5cb773a25b5476ba5ce1f4b9ad2e7e6b8356e8e2e04270ca5aad1557
Score10/10-
Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
-
suricata: ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-