Analysis
-
max time kernel
61s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe
Resource
win10v20210408
General
-
Target
d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe
-
Size
70KB
-
MD5
8f90539c405672016c0dec7ac3574eea
-
SHA1
bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4
-
SHA256
d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3
-
SHA512
887131d01da7d7afcff628eb1c81de7b6e6a2bb38167377dd104e175a2fec27d0d1ef0d966b376408d305488e0319b781ff996da3e5be60628088cb369869a94
Malware Config
Extracted
C:\NEFILIM-DECRYPT.txt
Signatures
-
Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\CheckpointClear.png => C:\Users\Admin\Pictures\CheckpointClear.png.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\EnterCopy.crw => C:\Users\Admin\Pictures\EnterCopy.crw.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\HideGrant.raw => C:\Users\Admin\Pictures\HideGrant.raw.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\JoinPush.crw => C:\Users\Admin\Pictures\JoinPush.crw.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\ResetCompress.png => C:\Users\Admin\Pictures\ResetCompress.png.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\DisableRegister.tif => C:\Users\Admin\Pictures\DisableRegister.tif.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\DismountFind.png => C:\Users\Admin\Pictures\DismountFind.png.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\LimitPing.png => C:\Users\Admin\Pictures\LimitPing.png.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\MoveOpen.raw => C:\Users\Admin\Pictures\MoveOpen.raw.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\ResizeWrite.raw => C:\Users\Admin\Pictures\ResizeWrite.raw.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe File renamed C:\Users\Admin\Pictures\UseOut.tif => C:\Users\Admin\Pictures\UseOut.tif.NEFILIM d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4084 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.execmd.exedescription pid process target process PID 4648 wrote to memory of 3796 4648 d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe cmd.exe PID 4648 wrote to memory of 3796 4648 d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe cmd.exe PID 4648 wrote to memory of 3796 4648 d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe cmd.exe PID 3796 wrote to memory of 4084 3796 cmd.exe timeout.exe PID 3796 wrote to memory of 4084 3796 cmd.exe timeout.exe PID 3796 wrote to memory of 4084 3796 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe"C:\Users\Admin\AppData\Local\Temp\d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3.sample.exe" /s /f /q2⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:4084