Analysis

  • max time kernel
    61s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 12:59

General

  • Target

    d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe

  • Size

    70KB

  • MD5

    8f90539c405672016c0dec7ac3574eea

  • SHA1

    bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4

  • SHA256

    d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3

  • SHA512

    887131d01da7d7afcff628eb1c81de7b6e6a2bb38167377dd104e175a2fec27d0d1ef0d966b376408d305488e0319b781ff996da3e5be60628088cb369869a94

Score
10/10

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Signatures

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe" /s /f /q
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:4084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3796-114-0x0000000000000000-mapping.dmp

  • memory/4084-115-0x0000000000000000-mapping.dmp