Overview

overview

10

Static

static

10

bc1b0daa57...eb.exe

windows7_x64

10

bc1b0daa57...eb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe

  • Size

    36KB

  • MD5

    644b931e6a016a6146ebe8068f68e4cb

  • SHA1

    87e2ad3e9f1ae9e1340fb3c70013fd6b508e2364

  • SHA256

    bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb

  • SHA512

    683152462a60d24dd9151754ebc5184a4753afbfeb4a86f74d5d815ae1d3738631bd8f89c51fe56b31ddc14a590579233a0a1a5562ba49e5486387be3bb989ba

Score
10/10
nefilimpersistenceransomware

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Signatures

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    ransomwarenefilim
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
    "C:\Users\Admin\AppData\Local\Temp\bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe" /s /f /q
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:944
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe fb8c4272e30e5d6048a61f5efad77f8f /MdMpPJ1D06TDUBVvcW6ng.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:3140

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads