nefilim | 2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e

General

Target

2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
Size

70KB
MD5

193e702195e8ed5c50cc482569559462
SHA1

47a5307b78fa2c60c20ce63c553aef4a6d5a3e1c
SHA256

2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e
SHA512

d5ae5a8bccfc08bc07834caaebaed7a6cde1911170eb8de99322bf15be3ad111b5042d6401dcb06e64a6a429eee19d964878089af205474b377b77627bb63a35
SSDEEP

768:lXStkFWTBhyugDC60CPJkEBx9w7mSDh3vkkjvshT3ED18nv04ZPqpb348Uq1krHO:liMWV3gDCk6EBwT/kJbvkbuq1krj0z

Score

10^/10

nefilim ransomware

Malware Config

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PushSet.crw => C:\Users\Admin\Pictures\PushSet.crw.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File opened for modification	C:\Users\Admin\Pictures\StartUnlock.tiff	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\UnprotectExport.png => C:\Users\Admin\Pictures\UnprotectExport.png.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File opened for modification	C:\Users\Admin\Pictures\CopyMove.tiff	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File opened for modification	C:\Users\Admin\Pictures\ExitConfirm.tiff	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\StartUnlock.tiff => C:\Users\Admin\Pictures\StartUnlock.tiff.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\RenameRemove.crw => C:\Users\Admin\Pictures\RenameRemove.crw.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File opened for modification	C:\Users\Admin\Pictures\SendPublish.tiff	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\SendPublish.tiff => C:\Users\Admin\Pictures\SendPublish.tiff.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\CopyMove.tiff => C:\Users\Admin\Pictures\CopyMove.tiff.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\ExitConfirm.tiff => C:\Users\Admin\Pictures\ExitConfirm.tiff.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\ReceiveDeny.crw => C:\Users\Admin\Pictures\ReceiveDeny.crw.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\WaitResume.tif => C:\Users\Admin\Pictures\WaitResume.tif.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\InvokeConvertFrom.png => C:\Users\Admin\Pictures\InvokeConvertFrom.png.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
File renamed	C:\Users\Admin\Pictures\ProtectWatch.png => C:\Users\Admin\Pictures\ProtectWatch.png.NEFILIM	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1040 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1420 timeout.exe

pid	process
1040	cmd.exe

pid	process
1420	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.execmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 1040	1048	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe	cmd.exe
PID 1048 wrote to memory of 1040	1048	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe	cmd.exe
PID 1048 wrote to memory of 1040	1048	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe	cmd.exe
PID 1048 wrote to memory of 1040	1048	2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe	cmd.exe
PID 1040 wrote to memory of 1420	1040	cmd.exe	timeout.exe
PID 1040 wrote to memory of 1420	1040	cmd.exe	timeout.exe
PID 1040 wrote to memory of 1420	1040	cmd.exe	timeout.exe
PID 1040 wrote to memory of 1420	1040	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe
"C:\Users\Admin\AppData\Local\Temp\2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\2023-03-02_193e702195e8ed5c50cc482569559462_nefilim.exe" /s /f /q
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads