nefilim | dea93a0cf6e55dcfd1a4b9c10324b0b4edea974cc60878296601e6dc9f16c166

General

Target

5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
Size

35KB
MD5

70e4b9b7a83473687e5784489d556c87
SHA1

1f594456d88591d3a88e1cdd4e93c6c4e59b746c
SHA256

5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
SHA512

89878d4a72521a9742fe671979065ea210f7c78975040c28c0c5ec4733d90680d71b45bfe5582baf6e4bc62850777b1b2a68ad8e2dcaf95edc19544622855d2c

Score

10^/10

nefilim ransomware

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note

All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Emails

[email protected]

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
284	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1088	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.execmd.exe

description	pid	Process	procid_target
PID 1916 wrote to memory of 284	1916	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe	30
PID 1916 wrote to memory of 284	1916	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe	30
PID 1916 wrote to memory of 284	1916	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe	30
PID 1916 wrote to memory of 284	1916	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe	30
PID 284 wrote to memory of 1088	284	cmd.exe	32
PID 284 wrote to memory of 1088	284	cmd.exe	32
PID 284 wrote to memory of 1088	284	cmd.exe	32
PID 284 wrote to memory of 1088	284	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
"C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe" /s /f /q
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1088

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads