nefilim | 56079f3294f7d1e2b24c420d14d0562b25dd14857bac7c12ff57736b897b7d33

General

Target

fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
Size

3.3MB
MD5

68bb371accb1bc914675c0ab626a9019
SHA1

802a5fc4f1fdfae4a8cf99a4544c191641f9bceb
SHA256

fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7
SHA512

d72af358decda2f2caf1a7f1f6d83d457e0c6156753362a9ae1d3118dbb7706acff019be160028045ca2d22281fae4abf0ffdb6f27680cade0ade634e42bf84f
SSDEEP

49152:Nr9+Z4T+qn3bYXIFgY7LUvRL5PXwTvewrPiRnmUf:59+Z0nnFTUXCb

Score

10^/10

nefilim ransomware

Malware Config

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConfirmShow.crw => C:\Users\Admin\Pictures\ConfirmShow.crw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\MeasurePop.tiff => C:\Users\Admin\Pictures\MeasurePop.tiff.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\MountRegister.raw => C:\Users\Admin\Pictures\MountRegister.raw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\RedoClose.raw => C:\Users\Admin\Pictures\RedoClose.raw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\CheckpointRemove.crw => C:\Users\Admin\Pictures\CheckpointRemove.crw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\ExportUnblock.tiff => C:\Users\Admin\Pictures\ExportUnblock.tiff.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\ResolveGet.tif => C:\Users\Admin\Pictures\ResolveGet.tif.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\UseReset.crw => C:\Users\Admin\Pictures\UseReset.crw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\CompareSuspend.png => C:\Users\Admin\Pictures\CompareSuspend.png.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Pictures\ExportUnblock.tiff	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\JoinDismount.raw => C:\Users\Admin\Pictures\JoinDismount.raw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Pictures\MeasurePop.tiff	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\RestartSkip.tif => C:\Users\Admin\Pictures\RestartSkip.tif.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\UpdateUndo.crw => C:\Users\Admin\Pictures\UpdateUndo.crw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

C:\Users\Admin\AppData\Local\Temp\fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
"C:\Users\Admin\AppData\Local\Temp\fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:1100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\desktop.ini

Filesize
648B

MD5
87696fa020d8540953f0907003b77be4

SHA1
61442b02f6a1efc27f28ee8b50aa226b0e840bfd

SHA256
22f4d48e11c12e9f805d5b191b1aa690686d113574b550e08113eb49af038435

SHA512
0c9cd09faa67fec1c6440d828e37512ed098278b72fb9f843040f79b43ee03f57635a92bd13928bff2cde58fdcd5aa54298b9367000de0159e0ffecf27cfbf7d

Download Submit

Analysis

Sharing