nefilim | dea93a0cf6e55dcfd1a4b9c10324b0b4edea974cc60878296601e6dc9f16c166

General

Target

5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
Size

35KB
MD5

70e4b9b7a83473687e5784489d556c87
SHA1

1f594456d88591d3a88e1cdd4e93c6c4e59b746c
SHA256

5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
SHA512

89878d4a72521a9742fe671979065ea210f7c78975040c28c0c5ec4733d90680d71b45bfe5582baf6e4bc62850777b1b2a68ad8e2dcaf95edc19544622855d2c

Score

10^/10

nefilim ransomware

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note

All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Emails

[email protected]

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ApproveRedo.tiff	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
File renamed	C:\Users\Admin\Pictures\ApproveRedo.tiff => C:\Users\Admin\Pictures\ApproveRedo.tiff.NEFILIM	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
File renamed	C:\Users\Admin\Pictures\OutDismount.crw => C:\Users\Admin\Pictures\OutDismount.crw.NEFILIM	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
File renamed	C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.NEFILIM	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
File renamed	C:\Users\Admin\Pictures\SwitchCompare.tif => C:\Users\Admin\Pictures\SwitchCompare.tif.NEFILIM	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
File renamed	C:\Users\Admin\Pictures\TraceImport.png => C:\Users\Admin\Pictures\TraceImport.png.NEFILIM	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3288	timeout.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 3452	492	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe	80
PID 492 wrote to memory of 3452	492	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe	80
PID 492 wrote to memory of 3452	492	5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe	80
PID 3452 wrote to memory of 3288	3452	cmd.exe	82
PID 3452 wrote to memory of 3288	3452	cmd.exe	82
PID 3452 wrote to memory of 3288	3452	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
"C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe" /s /f /q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3288

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads