Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
19-04-2024 18:21
General
-
Target
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
-
Size
35KB
-
MD5
70e4b9b7a83473687e5784489d556c87
-
SHA1
1f594456d88591d3a88e1cdd4e93c6c4e59b746c
-
SHA256
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
-
SHA512
89878d4a72521a9742fe671979065ea210f7c78975040c28c0c5ec4733d90680d71b45bfe5582baf6e4bc62850777b1b2a68ad8e2dcaf95edc19544622855d2c
-
SSDEEP
768:+8SQb5hyBBIqa1L4SvEUfBNEUuQjreZBLjpKgk:+8SkLq2VrM8EUuoyjp
Malware Config
Signatures
-
Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
-
Renames multiple (214) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe"C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe" /s /f /q2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
-
Filesize
84KB