Analysis
-
max time kernel
1756s -
max time network
1769s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
13-09-2022 17:54
General
-
Target
RansomwareSamples/Nemty_03_02_2021_124KB.exe
-
Size
123KB
-
MD5
78c3c27df6232caa15679c6b72406799
-
SHA1
e439d28b6bb6fd449bddad9cf36c97433a363aed
-
SHA256
a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da
-
SHA512
36dcdaffaef3ea2136cca3386f18ee3f6462aa66c82ef64660e3c300f3d58720a9c742930e2ee8e94c2379fbc7b3e6932dda20b5caa30b1c1f1ef38095aac6f6
-
SSDEEP
3072:xlwfdbiGnmYcAbwc7HNXG8/IEjkeOBeFtEv9VTYnH5upMocGMn7qxR1tMkTJNzn:DwfY2sA0kHFkktN5upMocGMns/lNzn
Score
10/10
Malware Config
Extracted
Path
C:\MILIHPEN-INSTRUCT.txt
Ransom Note
Two things have happened to your company.
==========================================================================================================================
Gigabytes of archived files that we deemed valuable or sensitive were downloaded from your network to a secure location.
When you contact us we will tell you how much data was downloaded and can provide extensive proof of the data extraction.
You can analyze the type of the data we download on our websites.
If you do not contact us we will start leaking the data periodically in parts.
==========================================================================================================================
We have also encrypted files on your computers with military grade algorithms.
If you don't have extensive backups the only way to retrieve your data is with our software.
Restoration of your data with our software requires a private key which only we possess.
==========================================================================================================================
To confirm that our decryption software works send 2 encrypted files from random computers to us via email.
You will receive further instructions after you send us the test files.
We will make sure you retrieve your data swiftly and securely and your data that we downloaded will be securely deleted when our demands are met.
If we do not come to an agreement your data will be leaked on this website.
Website: http://corpleaks.net
TOR link: http://hxt254aygrsziejn.onion
Contact us via email:
LynnJohnson1990@tutanota.com
ChristopherThomas2021@tutanota.com
Djimkarter@protonmail.com
Emails
LynnJohnson1990@tutanota.com
ChristopherThomas2021@tutanota.com
Djimkarter@protonmail.com
URLs
http://corpleaks.net
http://hxt254aygrsziejn.onion
Signatures
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Nemty_03_02_2021_124KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Nemty_03_02_2021_124KB.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives