Analysis
-
max time kernel
1738s -
max time network
1753s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
13-09-2022 17:54
General
-
Target
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
-
Size
3.0MB
-
MD5
cd7b5d2391af7cc10f5ab11f2baef503
-
SHA1
c735ff582ab489f13cfc76ee744e52b868012e2e
-
SHA256
0bafde9b22d7147de8fdb852bcd529b1730acddc9eb71316b66c180106f777f5
-
SHA512
b01c843c9a7c154ab592b667fe66b49123bfc2218904391600c1d17623b91c4e83eb6049aba01813586251596d999cce953ca689957390e658ee306a9859adca
-
SSDEEP
24576:YOXKA8qDbjm8N3CNWYqdQCVzCYXjG9xLAW0bUXo2xdQS3aVOqL1UrSlcbHLWcR4+:tXKOm8mkdHJC0jG9xE9gdQS3aLibLw
Score
10/10
Malware Config
Extracted
Path
C:\\NEF1LIM-DECRYPT.txt
Ransom Note
Two things have happened to your company.
==========================================================================================================================
Gigabytes of archived files that we deemed valuable or sensitive were downloaded from your network to a secure location.
When you contact us we will tell you how much data was downloaded and can provide extensive proof of the data extraction.
You can analyze the type of the data we download on our websites.
If you do not contact us we will start leaking the data periodically in parts.
==========================================================================================================================
We have also encrypted files on your computers with military grade algorithms.
If you don't have extensive backups the only way to retrieve your data is with our software.
Restoration of your data with our software requires a private key which only we possess.
==========================================================================================================================
To confirm that our decryption software works send 2 encrypted files from random computers to us via email.
You will receive further instructions after you send us the test files.
We will make sure you retrieve your data swiftly and securely and your data that we downloaded will be securely deleted when our demands are met.
If we do not come to an agreement your data will be leaked on this website.
Website: http://corpleaks.net
TOR link: http://hxt254aygrsziejn.onion
Contact us via email:
Lianaytman@protonmail.com
Murdochjoumo@protonmail.com
Ricardogurtress@tutanota.com
Emails
Lianaytman@protonmail.com
Murdochjoumo@protonmail.com
Ricardogurtress@tutanota.com
URLs
http://corpleaks.net
http://hxt254aygrsziejn.onion
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Nefilim_31_08_2020_3061KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Nefilim_31_08_2020_3061KB.exe"1⤵
- Modifies extensions of user files