nefilim | dea93a0cf6e55dcfd1a4b9c10324b0b4edea974cc60878296601e6dc9f16c166 | Triage

Submit
Reports

Overview

overview

Static

static

5ab834f599...c6.exe

windows7-x64

5ab834f599...c6.exe

windows10-2004-x64

Sharing

General

Target

dea93a0cf6e55dcfd1a4b9c10324b0b4edea974cc60878296601e6dc9f16c166
Size

31KB
Sample

240419-wzdjwsbh29
MD5

f86bc4d1c11a104ec3c305ce5ea8278f
SHA1

d9b1a57189493920d4735b4d03dbac475b8c1915
SHA256

dea93a0cf6e55dcfd1a4b9c10324b0b4edea974cc60878296601e6dc9f16c166
SHA512

97b5234052e06b134eaa86ea5e534b1cd16edb69b03bd0909236c87edc044050274102c4165d9c7c6fc591c252bccbb32c251a670b68cb4c03ee0e3d71768c11
SSDEEP

768:hLw6lD/DJe77K0Kq75NXGLKQ7NOB82NxZORYSbAbr9O4:hLwos/SqdtGLKQ70CaxZFSbV4

Score

10^/10

nefilim ransomware upx

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe

Resource

win7-20240220-en

nefilim ransomware upx

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe

Resource

win10v2004-20240412-en

nefilim ransomware upx

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Targets

- Target
  
  5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
- Size
  
  35KB
- MD5
  
  70e4b9b7a83473687e5784489d556c87
- SHA1
  
  1f594456d88591d3a88e1cdd4e93c6c4e59b746c
- SHA256
  
  5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
- SHA512
  
  89878d4a72521a9742fe671979065ea210f7c78975040c28c0c5ec4733d90680d71b45bfe5582baf6e4bc62850777b1b2a68ad8e2dcaf95edc19544622855d2c
- SSDEEP
  
  768:+8SQb5hyBBIqa1L4SvEUfBNEUuQjreZBLjpKgk:+8SkLq2VrM8EUuoyjp
Score

10^/10

nefilim ransomware upx
- Nefilim
  Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
  ransomware nefilim
- Renames multiple (214) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nefilimransomwareupx

behavioral2

nefilimransomwareupx

© 2018-2024

Terms | Privacy