nefilim | 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea

Analysis

max time kernel
129s
max time network
117s
platform
windows7_x64
resource
win7-en-20211208
submitted
31-01-2022 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
Size

4.2MB
MD5

80cfda61942eb4e71f286297a1158f48
SHA1

6c9ae388fa5d723a458de0d2bea3eb63bc921af7
SHA256

52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
SHA512

5e02f22c9c367d2111d4b1a6000691286da04c52aae9fd7b716b0911e31256aa679ac227d24443bfd75450b1dd7f9c20eae0593d1fc42324b9281852e20fcbe7

Score

10^/10

nefilim persistence pyinstaller ransomware

Malware Config

Extracted

Path

C:\NEFILIM-DECRYPT.txt

Ransom Note

All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. [email protected] [email protected] [email protected]

Emails

[email protected]

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim

Nefilim Ransomware Executable 5 IoCs

File contains patterns typical of Nefilim samples.

resource	yara_rule
behavioral1/files/0x0008000000012284-70.dat	nefilim_ransomware
behavioral1/files/0x0008000000012284-72.dat	nefilim_ransomware
behavioral1/files/0x0008000000012284-71.dat	nefilim_ransomware
behavioral1/files/0x0008000000012284-74.dat	nefilim_ransomware
behavioral1/files/0x0008000000012284-75.dat	nefilim_ransomware

Executes dropped EXE 3 IoCs

pid	Process
520	inj.exe
848	inj.exe
968	COVID-~1.EXE

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InvokeUnblock.tif => C:\Users\Admin\Pictures\InvokeUnblock.tif.NEFILIM	COVID-~1.EXE
File renamed	C:\Users\Admin\Pictures\RevokeEnter.tif => C:\Users\Admin\Pictures\RevokeEnter.tif.NEFILIM	COVID-~1.EXE

Loads dropped DLL 10 IoCs

pid	Process
1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
520	inj.exe
520	inj.exe
848	inj.exe
848	inj.exe
848	inj.exe
1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
968	COVID-~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe

Detects Pyinstaller 8 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000900000001227a-55.dat	pyinstaller
behavioral1/files/0x000900000001227a-56.dat	pyinstaller
behavioral1/files/0x000900000001227a-57.dat	pyinstaller
behavioral1/files/0x000900000001227a-59.dat	pyinstaller
behavioral1/files/0x000900000001227a-60.dat	pyinstaller
behavioral1/files/0x000900000001227a-61.dat	pyinstaller
behavioral1/files/0x000900000001227a-62.dat	pyinstaller
behavioral1/files/0x000900000001227a-64.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1592	timeout.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903a919cfd16d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000bfa717463ba34cfaddb3f783603060f54ad451dfde61e7651277955e95e56e3a000000000e800000000200002000000017858ea5986a50122d285ed1d73bfd5fbb0d165edfe2aa2357ba8203aa0a540590000000b10f8cc8502beef5a24875ad9b3dcb14f0e4bd1207dcc30f1afaab9c9901d38f9af12614b0e63ad9675bc3be4c3ee647b855c4ca25c4670c8ab8be57a520fc5fef0fade3b14ac59460756858f4a21247d4d3b5ea02acda4d5937a9996dff9cfe02594e4db78959cdeded251987590c06226d50ded3f8c1f1a7811e853f757f378968016e3f9afefe9158e333252fba8f400000005250495c0431a92671a43d0cf0f4a8dc594dabd38259c973a9cceaddf9e33aa61f9c5f2bc50a153221dff6e8f9c4d6e4b0e806c19ef9cbd44bf4f57dbb3f9e41	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9EE3DCD1-82F0-11EC-A43E-5267F457BC0C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350438038"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000ebe1d87cb325e2299f67955437a2f20a171f27c4eeed785633bce8a688cae9ff000000000e800000000200002000000069ff61fa623fc2ce76dd6b15b20e89a46d87c30b606e0a92e204faa6a072a1ae2000000041c3a2c62e10529da38200e200a6aa7eba9f1f29c4a63690c77317433fe6cead40000000d1e45f7c22058ccf7ec8192481e7cab17556d161b75ad20ed5892c2454cbf313a5607d85f33f0e390e750b58d0e5ce8bfc65a1964a66fe7c932e327359fe96c9	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1272	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1272	iexplore.exe
1272	iexplore.exe
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 520	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	27
PID 1876 wrote to memory of 520	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	27
PID 1876 wrote to memory of 520	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	27
PID 1876 wrote to memory of 520	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	27
PID 1876 wrote to memory of 520	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	27
PID 1876 wrote to memory of 520	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	27
PID 1876 wrote to memory of 520	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	27
PID 520 wrote to memory of 848	520	inj.exe	28
PID 520 wrote to memory of 848	520	inj.exe	28
PID 520 wrote to memory of 848	520	inj.exe	28
PID 520 wrote to memory of 848	520	inj.exe	28
PID 520 wrote to memory of 848	520	inj.exe	28
PID 520 wrote to memory of 848	520	inj.exe	28
PID 520 wrote to memory of 848	520	inj.exe	28
PID 848 wrote to memory of 1272	848	inj.exe	29
PID 848 wrote to memory of 1272	848	inj.exe	29
PID 848 wrote to memory of 1272	848	inj.exe	29
PID 848 wrote to memory of 1272	848	inj.exe	29
PID 848 wrote to memory of 1272	848	inj.exe	29
PID 848 wrote to memory of 1272	848	inj.exe	29
PID 848 wrote to memory of 1272	848	inj.exe	29
PID 1272 wrote to memory of 1160	1272	iexplore.exe	31
PID 1272 wrote to memory of 1160	1272	iexplore.exe	31
PID 1272 wrote to memory of 1160	1272	iexplore.exe	31
PID 1272 wrote to memory of 1160	1272	iexplore.exe	31
PID 1272 wrote to memory of 1160	1272	iexplore.exe	31
PID 1272 wrote to memory of 1160	1272	iexplore.exe	31
PID 1272 wrote to memory of 1160	1272	iexplore.exe	31
PID 1876 wrote to memory of 968	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	33
PID 1876 wrote to memory of 968	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	33
PID 1876 wrote to memory of 968	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	33
PID 1876 wrote to memory of 968	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	33
PID 1876 wrote to memory of 968	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	33
PID 1876 wrote to memory of 968	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	33
PID 1876 wrote to memory of 968	1876	52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe	33
PID 968 wrote to memory of 1084	968	COVID-~1.EXE	36
PID 968 wrote to memory of 1084	968	COVID-~1.EXE	36
PID 968 wrote to memory of 1084	968	COVID-~1.EXE	36
PID 968 wrote to memory of 1084	968	COVID-~1.EXE	36
PID 968 wrote to memory of 1084	968	COVID-~1.EXE	36
PID 968 wrote to memory of 1084	968	COVID-~1.EXE	36
PID 968 wrote to memory of 1084	968	COVID-~1.EXE	36
PID 1084 wrote to memory of 1592	1084	cmd.exe	38
PID 1084 wrote to memory of 1592	1084	cmd.exe	38
PID 1084 wrote to memory of 1592	1084	cmd.exe	38
PID 1084 wrote to memory of 1592	1084	cmd.exe	38
PID 1084 wrote to memory of 1592	1084	cmd.exe	38
PID 1084 wrote to memory of 1592	1084	cmd.exe	38
PID 1084 wrote to memory of 1592	1084	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
"C:\Users\Admin\AppData\Local\Temp\52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://199.204.251.210/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE" /s /f /q
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads