Overview

overview

10

Static

static

10

df17933406...12.exe

windows7_x64

10

df17933406...12.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    31-01-2022 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df17933406a8f189b5a3ac728e0437ac178a6139ce18d9c25c3ba53b7e8fb712.exe

  • Size

    66KB

  • MD5

    c38cf7a56a285bbd15156032494f2432

  • SHA1

    1b2ca5c1454cd0cf0032e2ae09f8604fb896c580

  • SHA256

    df17933406a8f189b5a3ac728e0437ac178a6139ce18d9c25c3ba53b7e8fb712

  • SHA512

    bd375a8b77eacac3ba2015d11e56f8ece41fe4f45cda1bcdc0b64eda9b6e7988084a5a4870b911ddd51fd4b25415b2d9996fa8ef9a63620c8012f4a8cacabcf0

Score
10/10
nefilimpersistenceransomware

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Signatures

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    ransomwarenefilim
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df17933406a8f189b5a3ac728e0437ac178a6139ce18d9c25c3ba53b7e8fb712.exe
    "C:\Users\Admin\AppData\Local\Temp\df17933406a8f189b5a3ac728e0437ac178a6139ce18d9c25c3ba53b7e8fb712.exe"
    1⤵
    • Modifies extensions of user files
    PID:4608
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe de26a79fa0f6969090475828d7f7380c z1ytZviW3UWXXe7FFO3Dkg.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1524
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4944-130-0x00000211E5D40000-0x00000211E5D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-131-0x00000211E5DA0000-0x00000211E5DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-132-0x00000211E8AC0000-0x00000211E8AC4000-memory.dmp

    Filesize

    16KB

    Download