Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1756s -
max time network
1769s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/Nemty_03_02_2021_124KB.exe
-
Size
123KB
-
MD5
78c3c27df6232caa15679c6b72406799
-
SHA1
e439d28b6bb6fd449bddad9cf36c97433a363aed
-
SHA256
a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da
-
SHA512
36dcdaffaef3ea2136cca3386f18ee3f6462aa66c82ef64660e3c300f3d58720a9c742930e2ee8e94c2379fbc7b3e6932dda20b5caa30b1c1f1ef38095aac6f6
-
SSDEEP
3072:xlwfdbiGnmYcAbwc7HNXG8/IEjkeOBeFtEv9VTYnH5upMocGMn7qxR1tMkTJNzn:DwfY2sA0kHFkktN5upMocGMns/lNzn
Malware Config
Extracted
C:\MILIHPEN-INSTRUCT.txt
http://corpleaks.net
http://hxt254aygrsziejn.onion
Signatures
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\InitializeEnter.tiff => C:\Users\Admin\Pictures\InitializeEnter.tiff.MILIHPEN Nemty_03_02_2021_124KB.exe File renamed C:\Users\Admin\Pictures\ShowSkip.png => C:\Users\Admin\Pictures\ShowSkip.png.MILIHPEN Nemty_03_02_2021_124KB.exe File opened for modification C:\Users\Admin\Pictures\EditCheckpoint.tiff Nemty_03_02_2021_124KB.exe File renamed C:\Users\Admin\Pictures\EditCheckpoint.tiff => C:\Users\Admin\Pictures\EditCheckpoint.tiff.MILIHPEN Nemty_03_02_2021_124KB.exe File renamed C:\Users\Admin\Pictures\ExitUnprotect.tiff => C:\Users\Admin\Pictures\ExitUnprotect.tiff.MILIHPEN Nemty_03_02_2021_124KB.exe File renamed C:\Users\Admin\Pictures\HideFind.png => C:\Users\Admin\Pictures\HideFind.png.MILIHPEN Nemty_03_02_2021_124KB.exe File opened for modification C:\Users\Admin\Pictures\InitializeEnter.tiff Nemty_03_02_2021_124KB.exe File renamed C:\Users\Admin\Pictures\LimitClear.png => C:\Users\Admin\Pictures\LimitClear.png.MILIHPEN Nemty_03_02_2021_124KB.exe File renamed C:\Users\Admin\Pictures\ConfirmInvoke.raw => C:\Users\Admin\Pictures\ConfirmInvoke.raw.MILIHPEN Nemty_03_02_2021_124KB.exe File opened for modification C:\Users\Admin\Pictures\ExitUnprotect.tiff Nemty_03_02_2021_124KB.exe File renamed C:\Users\Admin\Pictures\GrantPush.png => C:\Users\Admin\Pictures\GrantPush.png.MILIHPEN Nemty_03_02_2021_124KB.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\X: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\L: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\M: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\J: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\O: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\P: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\Q: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\U: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\Y: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\B: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\E: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\Z: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\H: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\S: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\T: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\W: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\A: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\F: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\K: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\R: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\V: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\G: Nemty_03_02_2021_124KB.exe File opened (read-only) \??\I: Nemty_03_02_2021_124KB.exe