Analysis

  • max time kernel
    129s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 23:50

General

  • Target

    52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe

  • Size

    4.2MB

  • MD5

    80cfda61942eb4e71f286297a1158f48

  • SHA1

    6c9ae388fa5d723a458de0d2bea3eb63bc921af7

  • SHA256

    52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea

  • SHA512

    5e02f22c9c367d2111d4b1a6000691286da04c52aae9fd7b716b0911e31256aa679ac227d24443bfd75450b1dd7f9c20eae0593d1fc42324b9281852e20fcbe7

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Signatures

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

  • Nefilim Ransomware Executable 5 IoCs

    File contains patterns typical of Nefilim samples.

  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Detects Pyinstaller 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
    "C:\Users\Admin\AppData\Local\Temp\52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://199.204.251.210/
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1272
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1160
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE" /s /f /q
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 3 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:1592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE

    MD5

    95a2dd9a94b803df1579d58bbba31b0e

    SHA1

    5275c4ab060ce190938b37f6d6ef3c12a70615b4

    SHA256

    5104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b

    SHA512

    2355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE

    MD5

    95a2dd9a94b803df1579d58bbba31b0e

    SHA1

    5275c4ab060ce190938b37f6d6ef3c12a70615b4

    SHA256

    5104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b

    SHA512

    2355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

    MD5

    705d469e78736d4d6a17feb14f03c38d

    SHA1

    1a86ab9c377eb3bd99107a567defb100482aab90

    SHA256

    0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

    SHA512

    64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

    MD5

    705d469e78736d4d6a17feb14f03c38d

    SHA1

    1a86ab9c377eb3bd99107a567defb100482aab90

    SHA256

    0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

    SHA512

    64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

    MD5

    705d469e78736d4d6a17feb14f03c38d

    SHA1

    1a86ab9c377eb3bd99107a567defb100482aab90

    SHA256

    0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

    SHA512

    64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

  • C:\Users\Admin\AppData\Local\Temp\_MEI5202\_ctypes.pyd

    MD5

    6ae4a18b7591824366b0b41f24d52d45

    SHA1

    e22e8abf69c8676b68fe42d9f26c2bd5f731af39

    SHA256

    f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a

    SHA512

    f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c

  • C:\Users\Admin\AppData\Local\Temp\_MEI5202\inj.exe.manifest

    MD5

    891c51c1e0e4f0fb2ea96f4b8920c90a

    SHA1

    4951908c955eea848fb8227eda9b50713fa6e6de

    SHA256

    80db6cf6b0d75694c9f584090f3e616df7c0a71aa45418b6078ddfb65682cc18

    SHA512

    e7495718898ada51fbbdbbc9c2eb352e07842e330984f0cc6c099244c69ff15c3be331096ff4ff9d2c3a7f235daabdd5611e98fa6bfdd1258494985fae61189c

  • C:\Users\Admin\AppData\Local\Temp\_MEI5202\python27.dll

    MD5

    9bd072fdd178efc44276b53fbcdc17d6

    SHA1

    24b7f989b19308ec91bbdd099f7fd6bd3add97eb

    SHA256

    b5ed923a52fa1bf7f524008f3b393077807cd32ea45aca392065cd8cae0171d6

    SHA512

    69f91f83bbd0cef7785029a881278977740ffe26fdc03e19fe8b67a284ff77363d9ae451cf45675447fb01484b4790f0b369867558e10265c5d3c22d42e4efeb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O39JQ1YL.txt

    MD5

    83f263cb08a7ac3889de693b8308e0dc

    SHA1

    77408c3f339cca2a64c449db3f4bba000c4df4ca

    SHA256

    77fef24a2682d67b7a9aca1096b296ce87816ab7c5ecfd9ce21741ee926682c6

    SHA512

    279ad6ba558c9c6bc74e00b706a50e33f5afbe90da9149c9a2d7d5060542d071942f73569f274e1f7fd467b9bbce904003873a26f94447529bbbca2e0bb39b39

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE

    MD5

    95a2dd9a94b803df1579d58bbba31b0e

    SHA1

    5275c4ab060ce190938b37f6d6ef3c12a70615b4

    SHA256

    5104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b

    SHA512

    2355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE

    MD5

    95a2dd9a94b803df1579d58bbba31b0e

    SHA1

    5275c4ab060ce190938b37f6d6ef3c12a70615b4

    SHA256

    5104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b

    SHA512

    2355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE

    MD5

    95a2dd9a94b803df1579d58bbba31b0e

    SHA1

    5275c4ab060ce190938b37f6d6ef3c12a70615b4

    SHA256

    5104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b

    SHA512

    2355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

    MD5

    705d469e78736d4d6a17feb14f03c38d

    SHA1

    1a86ab9c377eb3bd99107a567defb100482aab90

    SHA256

    0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

    SHA512

    64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

    MD5

    705d469e78736d4d6a17feb14f03c38d

    SHA1

    1a86ab9c377eb3bd99107a567defb100482aab90

    SHA256

    0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

    SHA512

    64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

    MD5

    705d469e78736d4d6a17feb14f03c38d

    SHA1

    1a86ab9c377eb3bd99107a567defb100482aab90

    SHA256

    0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

    SHA512

    64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

    MD5

    705d469e78736d4d6a17feb14f03c38d

    SHA1

    1a86ab9c377eb3bd99107a567defb100482aab90

    SHA256

    0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

    SHA512

    64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

    MD5

    705d469e78736d4d6a17feb14f03c38d

    SHA1

    1a86ab9c377eb3bd99107a567defb100482aab90

    SHA256

    0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

    SHA512

    64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

  • \Users\Admin\AppData\Local\Temp\_MEI5202\_ctypes.pyd

    MD5

    6ae4a18b7591824366b0b41f24d52d45

    SHA1

    e22e8abf69c8676b68fe42d9f26c2bd5f731af39

    SHA256

    f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a

    SHA512

    f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c

  • \Users\Admin\AppData\Local\Temp\_MEI5202\python27.dll

    MD5

    9bd072fdd178efc44276b53fbcdc17d6

    SHA1

    24b7f989b19308ec91bbdd099f7fd6bd3add97eb

    SHA256

    b5ed923a52fa1bf7f524008f3b393077807cd32ea45aca392065cd8cae0171d6

    SHA512

    69f91f83bbd0cef7785029a881278977740ffe26fdc03e19fe8b67a284ff77363d9ae451cf45675447fb01484b4790f0b369867558e10265c5d3c22d42e4efeb

  • memory/1876-54-0x0000000076121000-0x0000000076123000-memory.dmp

    Filesize

    8KB