Analysis
-
max time kernel
29s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 06:20
Behavioral task
behavioral1
Sample
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
Resource
win10v20201028
General
-
Target
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
-
Size
35KB
-
MD5
70e4b9b7a83473687e5784489d556c87
-
SHA1
1f594456d88591d3a88e1cdd4e93c6c4e59b746c
-
SHA256
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
-
SHA512
89878d4a72521a9742fe671979065ea210f7c78975040c28c0c5ec4733d90680d71b45bfe5582baf6e4bc62850777b1b2a68ad8e2dcaf95edc19544622855d2c
Malware Config
Extracted
C:\NEFILIM-DECRYPT.txt
Signatures
-
Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ApproveRedo.tiff 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe File renamed C:\Users\Admin\Pictures\ApproveRedo.tiff => C:\Users\Admin\Pictures\ApproveRedo.tiff.NEFILIM 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe File renamed C:\Users\Admin\Pictures\OutDismount.crw => C:\Users\Admin\Pictures\OutDismount.crw.NEFILIM 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe File renamed C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.NEFILIM 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe File renamed C:\Users\Admin\Pictures\SwitchCompare.tif => C:\Users\Admin\Pictures\SwitchCompare.tif.NEFILIM 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe File renamed C:\Users\Admin\Pictures\TraceImport.png => C:\Users\Admin\Pictures\TraceImport.png.NEFILIM 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3288 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 492 wrote to memory of 3452 492 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe 80 PID 492 wrote to memory of 3452 492 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe 80 PID 492 wrote to memory of 3452 492 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe 80 PID 3452 wrote to memory of 3288 3452 cmd.exe 82 PID 3452 wrote to memory of 3288 3452 cmd.exe 82 PID 3452 wrote to memory of 3288 3452 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe"C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe" /s /f /q2⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:3288
-
-