Overview

overview

10

Static

static

10

fdaefa45c8...f7.exe

windows7_x64

10

fdaefa45c8...f7.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fdaefa45c8679a161c6590b8f5bb735c12c9768172f81c930bb68c93a53002f7

  • Size

    58KB

  • Sample

    220131-3tn7rseca4

  • MD5

    6196c083282e7fe87d8039336e707e73

  • SHA1

    eea8b6f959c6dd33609ff1552521cbe9dc169872

  • SHA256

    fdaefa45c8679a161c6590b8f5bb735c12c9768172f81c930bb68c93a53002f7

  • SHA512

    2c7c653597d89e6c4f7041cfc6a9805f5aa9737ec2978b2231880480fd6f875e1726c3cefa0f3149d5b409a56caf8dd8bd1bc5daee62dab00da1fbcfeabddbbc

Score
10/10
nefilimpersistenceransomware

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Targets

    • Target

      fdaefa45c8679a161c6590b8f5bb735c12c9768172f81c930bb68c93a53002f7

    • Size

      58KB

    • MD5

      6196c083282e7fe87d8039336e707e73

    • SHA1

      eea8b6f959c6dd33609ff1552521cbe9dc169872

    • SHA256

      fdaefa45c8679a161c6590b8f5bb735c12c9768172f81c930bb68c93a53002f7

    • SHA512

      2c7c653597d89e6c4f7041cfc6a9805f5aa9737ec2978b2231880480fd6f875e1726c3cefa0f3149d5b409a56caf8dd8bd1bc5daee62dab00da1fbcfeabddbbc

    Score
    10/10
    nefilimransomwarepersistence

    • Nefilim

      Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

      ransomwarenefilim

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets service image path in registry

      persistence

    • Deletes itself

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks