nefilim | 56079f3294f7d1e2b24c420d14d0562b25dd14857bac7c12ff57736b897b7d33

General

Target

fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
Size

3.3MB
MD5

68bb371accb1bc914675c0ab626a9019
SHA1

802a5fc4f1fdfae4a8cf99a4544c191641f9bceb
SHA256

fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7
SHA512

d72af358decda2f2caf1a7f1f6d83d457e0c6156753362a9ae1d3118dbb7706acff019be160028045ca2d22281fae4abf0ffdb6f27680cade0ade634e42bf84f
SSDEEP

49152:Nr9+Z4T+qn3bYXIFgY7LUvRL5PXwTvewrPiRnmUf:59+Z0nnFTUXCb

Score

10^/10

nefilim ransomware

Malware Config

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnterStep.crw => C:\Users\Admin\Pictures\EnterStep.crw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Pictures\FormatMount.tiff	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\FormatMount.tiff => C:\Users\Admin\Pictures\FormatMount.tiff.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\NewCompare.crw => C:\Users\Admin\Pictures\NewCompare.crw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\RestoreOut.raw => C:\Users\Admin\Pictures\RestoreOut.raw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\SwitchProtect.tif => C:\Users\Admin\Pictures\SwitchProtect.tif.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\UnregisterReceive.raw => C:\Users\Admin\Pictures\UnregisterReceive.raw.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\WritePublish.png => C:\Users\Admin\Pictures\WritePublish.png.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Pictures\BlockConvertFrom.tiff	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\BlockConvertFrom.tiff => C:\Users\Admin\Pictures\BlockConvertFrom.tiff.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File renamed	C:\Users\Admin\Pictures\SplitNew.tif => C:\Users\Admin\Pictures\SplitNew.tif.NEFILIM	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
File opened for modification	C:\Users\Public\desktop.ini	fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe

C:\Users\Admin\AppData\Local\Temp\fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe
"C:\Users\Admin\AppData\Local\Temp\fb3f622cf5557364a0a3abacc3e9acf399b3631bf3630acb8132514c486751e7.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:1084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini
Filesize
648B

MD5
0e52e7fcb20a6f08fcb4d0bc06019d50

SHA1
3df06afdc3d38488957e7d92cf2fb2c08b260714

SHA256
f49b834b97e0074333efa76850763dc3fe68143b1c17041eb569fcd601daedbd

SHA512
eaa01a125534b972a82cc7f3459e4039bcffdcc5857f8894385573f20668bccd4f6d367356125b336c69f7b5f0f53d78183f673704f05d7d1b900cc4f4f1fd67

Download Submit

Analysis

Sharing