nefilim | bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb

General

Target

bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
Size

36KB
MD5

644b931e6a016a6146ebe8068f68e4cb
SHA1

87e2ad3e9f1ae9e1340fb3c70013fd6b508e2364
SHA256

bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb
SHA512

683152462a60d24dd9151754ebc5184a4753afbfeb4a86f74d5d815ae1d3738631bd8f89c51fe56b31ddc14a590579233a0a1a5562ba49e5486387be3bb989ba

Score

10^/10

nefilim ransomware

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note

All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Emails

[email protected]

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DenyUnregister.raw => C:\Users\Admin\Pictures\DenyUnregister.raw.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File opened for modification	C:\Users\Admin\Pictures\DismountSubmit.tiff	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeRepair.tiff	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\MeasureSelect.raw => C:\Users\Admin\Pictures\MeasureSelect.raw.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\UnregisterMount.crw => C:\Users\Admin\Pictures\UnregisterMount.crw.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\AssertInstall.tif => C:\Users\Admin\Pictures\AssertInstall.tif.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\CompressRestart.tif => C:\Users\Admin\Pictures\CompressRestart.tif.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\DisconnectPop.tif => C:\Users\Admin\Pictures\DisconnectPop.tif.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\EnableSuspend.png => C:\Users\Admin\Pictures\EnableSuspend.png.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\ExpandRegister.png => C:\Users\Admin\Pictures\ExpandRegister.png.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\MountRegister.tif => C:\Users\Admin\Pictures\MountRegister.tif.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\DismountSubmit.tiff => C:\Users\Admin\Pictures\DismountSubmit.tiff.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\InitializeRepair.tiff => C:\Users\Admin\Pictures\InitializeRepair.tiff.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
File renamed	C:\Users\Admin\Pictures\ReadMount.tif => C:\Users\Admin\Pictures\ReadMount.tif.NEFILIM	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1396 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1464 timeout.exe

pid	process
1396	cmd.exe

pid	process
1464	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.execmd.exe

description	pid	process	target process
PID 1576 wrote to memory of 1396	1576	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe	cmd.exe
PID 1576 wrote to memory of 1396	1576	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe	cmd.exe
PID 1576 wrote to memory of 1396	1576	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe	cmd.exe
PID 1576 wrote to memory of 1396	1576	bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe	cmd.exe
PID 1396 wrote to memory of 1464	1396	cmd.exe	timeout.exe
PID 1396 wrote to memory of 1464	1396	cmd.exe	timeout.exe
PID 1396 wrote to memory of 1464	1396	cmd.exe	timeout.exe
PID 1396 wrote to memory of 1464	1396	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe
"C:\Users\Admin\AppData\Local\Temp\bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\bc1b0daa577dc2cc96cc24512d13267773d0b6c8ce0e768db41aa0ec00f128eb.exe" /s /f /q
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1576-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing