General

  • Target

    52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea

  • Size

    4.2MB

  • Sample

    220131-3vls2adfgr

  • MD5

    80cfda61942eb4e71f286297a1158f48

  • SHA1

    6c9ae388fa5d723a458de0d2bea3eb63bc921af7

  • SHA256

    52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea

  • SHA512

    5e02f22c9c367d2111d4b1a6000691286da04c52aae9fd7b716b0911e31256aa679ac227d24443bfd75450b1dd7f9c20eae0593d1fc42324b9281852e20fcbe7

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Targets

    • Target

      52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea

    • Size

      4.2MB

    • MD5

      80cfda61942eb4e71f286297a1158f48

    • SHA1

      6c9ae388fa5d723a458de0d2bea3eb63bc921af7

    • SHA256

      52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea

    • SHA512

      5e02f22c9c367d2111d4b1a6000691286da04c52aae9fd7b716b0911e31256aa679ac227d24443bfd75450b1dd7f9c20eae0593d1fc42324b9281852e20fcbe7

    • Nefilim

      Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    • Nefilim Ransomware Executable

      File contains patterns typical of Nefilim samples.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets service image path in registry

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks