Analysis

  • max time kernel
    177s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    31-01-2022 23:50

General

  • Target

    52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe

  • Size

    4.2MB

  • MD5

    80cfda61942eb4e71f286297a1158f48

  • SHA1

    6c9ae388fa5d723a458de0d2bea3eb63bc921af7

  • SHA256

    52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea

  • SHA512

    5e02f22c9c367d2111d4b1a6000691286da04c52aae9fd7b716b0911e31256aa679ac227d24443bfd75450b1dd7f9c20eae0593d1fc42324b9281852e20fcbe7

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Signatures

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

  • Nefilim Ransomware Executable 2 IoCs

    File contains patterns typical of Nefilim samples.

  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Detects Pyinstaller 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
    "C:\Users\Admin\AppData\Local\Temp\52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://199.204.251.210/
          4⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x15c,0x16c,0x7ffc092946f8,0x7ffc09294708,0x7ffc09294718
            5⤵
              PID:484
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
              5⤵
                PID:2984
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3124
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:8
                5⤵
                  PID:1632
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
                  5⤵
                    PID:2348
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
                    5⤵
                      PID:3640
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
                      5⤵
                        PID:2920
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
                        5⤵
                          PID:1344
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
                          5⤵
                            PID:2020
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
                            5⤵
                              PID:2240
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1140 /prefetch:1
                              5⤵
                                PID:4360
                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE
                          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE
                          2⤵
                          • Executes dropped EXE
                          PID:1660
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3716
                        • C:\Windows\System32\WaaSMedicAgent.exe
                          C:\Windows\System32\WaaSMedicAgent.exe 4e5bb866f8ab62f39f54434a9760186f v4TlscNIC0O0khsjZD893A.0.1.0.0.0
                          1⤵
                          • Modifies data under HKEY_USERS
                          PID:3604
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                          1⤵
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3212

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE

                          MD5

                          95a2dd9a94b803df1579d58bbba31b0e

                          SHA1

                          5275c4ab060ce190938b37f6d6ef3c12a70615b4

                          SHA256

                          5104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b

                          SHA512

                          2355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5

                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE

                          MD5

                          95a2dd9a94b803df1579d58bbba31b0e

                          SHA1

                          5275c4ab060ce190938b37f6d6ef3c12a70615b4

                          SHA256

                          5104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b

                          SHA512

                          2355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5

                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

                          MD5

                          705d469e78736d4d6a17feb14f03c38d

                          SHA1

                          1a86ab9c377eb3bd99107a567defb100482aab90

                          SHA256

                          0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

                          SHA512

                          64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

                          MD5

                          705d469e78736d4d6a17feb14f03c38d

                          SHA1

                          1a86ab9c377eb3bd99107a567defb100482aab90

                          SHA256

                          0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

                          SHA512

                          64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe

                          MD5

                          705d469e78736d4d6a17feb14f03c38d

                          SHA1

                          1a86ab9c377eb3bd99107a567defb100482aab90

                          SHA256

                          0fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656

                          SHA512

                          64d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f

                        • C:\Users\Admin\AppData\Local\Temp\_MEI10082\_ctypes.pyd

                          MD5

                          6ae4a18b7591824366b0b41f24d52d45

                          SHA1

                          e22e8abf69c8676b68fe42d9f26c2bd5f731af39

                          SHA256

                          f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a

                          SHA512

                          f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c

                        • C:\Users\Admin\AppData\Local\Temp\_MEI10082\inj.exe.manifest

                          MD5

                          891c51c1e0e4f0fb2ea96f4b8920c90a

                          SHA1

                          4951908c955eea848fb8227eda9b50713fa6e6de

                          SHA256

                          80db6cf6b0d75694c9f584090f3e616df7c0a71aa45418b6078ddfb65682cc18

                          SHA512

                          e7495718898ada51fbbdbbc9c2eb352e07842e330984f0cc6c099244c69ff15c3be331096ff4ff9d2c3a7f235daabdd5611e98fa6bfdd1258494985fae61189c

                        • C:\Users\Admin\AppData\Local\Temp\_MEI10082\python27.dll

                          MD5

                          9bd072fdd178efc44276b53fbcdc17d6

                          SHA1

                          24b7f989b19308ec91bbdd099f7fd6bd3add97eb

                          SHA256

                          b5ed923a52fa1bf7f524008f3b393077807cd32ea45aca392065cd8cae0171d6

                          SHA512

                          69f91f83bbd0cef7785029a881278977740ffe26fdc03e19fe8b67a284ff77363d9ae451cf45675447fb01484b4790f0b369867558e10265c5d3c22d42e4efeb

                        • C:\Users\Admin\AppData\Local\Temp\_MEI10082\python27.dll

                          MD5

                          9bd072fdd178efc44276b53fbcdc17d6

                          SHA1

                          24b7f989b19308ec91bbdd099f7fd6bd3add97eb

                          SHA256

                          b5ed923a52fa1bf7f524008f3b393077807cd32ea45aca392065cd8cae0171d6

                          SHA512

                          69f91f83bbd0cef7785029a881278977740ffe26fdc03e19fe8b67a284ff77363d9ae451cf45675447fb01484b4790f0b369867558e10265c5d3c22d42e4efeb

                        • C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_ctypes.pyd

                          MD5

                          6ae4a18b7591824366b0b41f24d52d45

                          SHA1

                          e22e8abf69c8676b68fe42d9f26c2bd5f731af39

                          SHA256

                          f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a

                          SHA512

                          f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c

                        • \??\pipe\LOCAL\crashpad_1664_MZVYTEHOVFAPBPVT

                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • memory/2348-149-0x00007FFC27C60000-0x00007FFC27C61000-memory.dmp

                          Filesize

                          4KB

                        • memory/2984-141-0x00007FFC276E0000-0x00007FFC276E1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3212-169-0x000001EDBC390000-0x000001EDBC3A0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3212-170-0x000001EDBCE30000-0x000001EDBCE40000-memory.dmp

                          Filesize

                          64KB

                        • memory/3212-171-0x000001EDBF360000-0x000001EDBF364000-memory.dmp

                          Filesize

                          16KB

                        • memory/3640-151-0x00007FFC261B0000-0x00007FFC261B1000-memory.dmp

                          Filesize

                          4KB